On Information Flow Control in Event-B and Refinement

The virtual machine in the fine-grained information flow tracking is the basis for realization of transparent cloud platform program level control. The information flow control access to sensitive information in the process, because the authority transfer security level and cannot read or write the non sensitive data, the coarse granularity information flow control is difficult to meet the actual demand of diversification, this paper proposes extended DIFC (Distributed Information Flow Control) model, this model avoids component of cloud platform virtual machine because of the higher level of security sensitive data through reading, it sends or modifies the defects of non sensitive data by transfering the authority, and effectively overcomes the defect that the existing information flow control method for the coarse granularity, and the shortcomings which unable to meet the actual demand, this model guarantees the tracking and control of fine-grained information flow within the virtual machine application, and it does not affect the original cloud service operation.

Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.

This research is supported by the China National R&D Key Research Program (2019YFB1705703) and the In-terdisciplinary Program of SJTU, Shanghai, China (No. YG2019ZDA07).

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy.

Protecting confidential data in today's computing environments is an important problem. Information flow control can help to avoid information leakage and violations introduced by executing the software applications. In software development cycle, it is important to handle security related issues from the beginning specifications at the level of abstract. Mu [1] investigated the problem of preserving information flow security in the Event-B specification models. A typed Event-B model was presented to enforce information flow security and to prevent direct flows introduced by the system. However, in practice, timing behaviours of programs can also introduce a covert flow. The problem of run-time flow monitoring and controlling must also be addressed. This paper investigates information flow control in the Event-B specification language with timing constructs. We present a timed Event-B system by introducing timers and relevant time constraints into the system events. We suggest a time-sensitive flow security condition for the timed Event-B systems, and present a type system to close the covert channels of timing flows for the system by ensuring the security condition. We then investigate how to refine timed events during the stepwise refinement modelling to satisfy the security condition.

Information Flow Control (IFC) is important to ensure secure programs where secret data does not influence any public data. The pervasive standard that IFC aims to is non-interference. Current IFC systems are separated into dynamic IFC, static IFC, and hybrids between static and dynamic. With dynamic IFC suffering from high overhead and limited ability to prevent implicit flows due to the paths not taken, we propose a novel modular static IFC system. To the best of our knowledge, this is the first modular static IFC system. Unlike type-based static IFC systems, ours is logic-based. The limitation of type-based IFC systems is in the inviolability of static security label declarations for fields. As such, they suffer from transient leaks on fields. Our proposed system uses a Hoare-like logic. It verifies each function independently with the help of separation logic. Furthermore, we provide the proof of correctness for our novel IFC system with respect to termination- and timing-insensitive non-interference.

Mechanisms of neuroprogression and interventions to predict and arrest it

CDroid: practically implementation a formal-analyzed CIFC model on Android

In mobile platforms and their app markets, controlling app permissions and preventing abuse of private information are crucial challenges. Information Flow Control (IFC) is a powerful approach for formalizing and answering user concerns such as: Does this app send my geolocation to the Internet? Yet despite intensive research efforts, IFC has not been widely adopted in mainstream programming practice. Abstract We observe that the typical structure of Android apps offers an opportunity for a novel and effective application of IFC. In Android, an app consists of a collection of a few dozen each in charge of some high-level functionality. Most components do not require access to most resources. These components are a natural and effective granularity at which to apply IFC (as opposed to the typical process-level or language-level granularity). By assigning different permission labels to each component, and limiting information flow between components, it is possible to express and enforce IFC constraints. Yet nuances of the Android platform, such as its multitude of discretionary (and somewhat arcane) communication channels, raise challenges in defining and enforcing component boundaries.Abstract We build a system, DroidDisintegrator, which demonstrates the viability of component-level IFC for expressing and controlling app behavior. DroidDisintegrator uses dynamic analysis to generate IFC policies for Android apps, repackages apps to embed these policies, and enforces the policies at runtime. We evaluate DroidDisintegrator on dozens of apps.

A new generation of avionics system has three major technical characteristics of high resource sharing, data integration and software intensive. However, in the cooperative combat environment, which has the problem of potential sensitive information leakage and tamper when the combat aircraft communicate with each other. In this paper, we are based on the single node of information flow control model, combined with PCS, proposed a distributed information flow control model in MILS, constructed the PCS information flow control strategy, and together with other trusted component of information flow control strategy that form the multi-level information flow control policy framework, which design an information flow control mechanism of PCS and realized the distributed information flow control in MILS. After analysis and verification, the design of the distributed information flow security control method in MILS can effectively ensure the confidentiality and integrity of the information among the nodes.

In order to minimize uncertainty of the inversed parameters to the largest extent by making full use of the limited information in remote sensing data, it is necessary to understand what the information flow in quantitative remote sensing model inversion is, thus control the information flow. Aiming at this, the paper takes the linear kernel-driven model inversion as an example. At first, the information flow in different inversion methods is calculated and analyzed, then the effect of information flow controlled by multi-stage inversion strategy is studied, finally, an information matrix based on USM is defined to control information flow in inversion. It shows that using Shannon entropy decrease of the inversed parameters can express information flow more properly. Changing the weight of a priori knowledge in inversion or fixing parameters and partitioning datasets in multi-stage inversion strategy can control information flow. In regularization inversion of remote sensing, information matrix based on USM may be a better tool for quantitatively controlling information flow.

Making Data Flow

Secure service composition with information flow control in service clouds

Information flow control (IFC) has been extensively studied as an approach to mitigate information leaks in applications. A vast majority of existing work in this area is based on static analysis. However, some applications, especially on the Web, are developed using dynamic languages like JavaScript where static analyses for IFC do not scale well. As a result, there has been a growing interest in recent years to develop dynamic or runtime information flow analysis techniques. In spite of the advances in the field, runtime information flow analysis has not been at the helm of information flow security, one of the reasons being that the analysis techniques and the security property related to them (non-interference) over-approximate information flows (particularly implicit flows), generating many false positives. In this paper, we present a sound and precise approach for handling implicit leaks at runtime. In particular, we present an improvement and enhancement of the so-called permissive-upgrade strategy, which is widely used to tackle implicit leaks in dynamic information flow control. We improve the strategy’s permissiveness and generalize it. Building on top of it, we present an approach to handle implicit leaks when dealing with complex features like unstructured control flow and exceptions in higher-order languages. We explain how we address the challenge of handling unstructured control flow using immediate post-dominator analysis. We prove that our approach is sound and precise.

Due to multi-tenancy, access control is a very important component in SaaS (Software as a Service), especially for controlling cross-tenant accesses. Due to the potential information flow among multiple tenants, information flow control should also be carefully addressed. Existing models for SaaS access control have some limitations, especially in information flow control. In this paper, we define a new SaaS-AIFC model to provide comprehensive and improved access and information flow control in SaaS. SaaS-AIFC incorporates two advanced features. First, SaaS-AIFC integrates the advanced role mapping technique to govern the cross-tenant accesses. Role mapping is very flexible and can be very efficient for SaaS with a large number of tenants. We integrate role mapping in SaaS by developing a detailed process for mapping establishment and retrieval during validation. Second, we propose a new IFC model in SaaS-AIFC, which tracks the dependency of data objects and uses the dependency information to achieve flexible information flow control. An architecture design for realizing the SaaS-AIFC model is also proposed.