Verification of Information Flow and Access Control Policies with Dependent Types

Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy.

The virtual machine in the fine-grained information flow tracking is the basis for realization of transparent cloud platform program level control. The information flow control access to sensitive information in the process, because the authority transfer security level and cannot read or write the non sensitive data, the coarse granularity information flow control is difficult to meet the actual demand of diversification, this paper proposes extended DIFC (Distributed Information Flow Control) model, this model avoids component of cloud platform virtual machine because of the higher level of security sensitive data through reading, it sends or modifies the defects of non sensitive data by transfering the authority, and effectively overcomes the defect that the existing information flow control method for the coarse granularity, and the shortcomings which unable to meet the actual demand, this model guarantees the tracking and control of fine-grained information flow within the virtual machine application, and it does not affect the original cloud service operation.

In this paper a meta-model for information flow control is defined using the foundation of Barker's access control meta-model. The purposes for defining this meta-model is to achieve a more principled understanding of information flow control, to compare information flow control and access control at an abstract level, and to explore how information flow control and access control might be composed to yield a rich new set of ideas and systems for controlling the dissemination of sensitive information. It is shown that it is possible to define a meta-model for information flow control, that such a model is more complex compared to the access control meta-model, and that the meta-models for information flow control and access control can be composed in a conceptually straightforward way.

Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.

Current information systems are more and more complex. They require more interactions between different components and users. So, ensuring system security must not be limited to using an access control model but also, it is primordial to deal with information flows in a system. Thus, an important function of a security policy is to enforce access to different system elements and supervise information flows simultaneously. Several works have been undertaken to join together models of access control and information flow. Unfortunately, beyond the fact that the reference model they use is BLP which is quite rigid, these research works suggest a non integrated models which do nothing but juxtapose access control and information flow controls or are based on a misuse of a mapping between MLS and RBAC models. In this paper, we suggest to formalize DTE model in order to use it as a solution for a flexible information flow control. Then, we integrate it into an unique access control model expressive enough to handle access and flow control security rules. The expressivity of the OrBAC model makes this integration possible and quite natural.

Sensitive resources in Trusted Execution Environment (TEE) have suffered serious security threats in recent years. Previous protection approaches either lack a strong assurance of TEE security properties or are limited to a single platform. We propose a compatible verified TEE architecture, called <monospace>CVTEE</monospace> , which delegates a security monitor to manage TEE resources securely. This architecture has two key advantages: i) its functional correctness and security are guaranteed by a machine-checkable proof of security objectives of Trusted Application (TA) isolation, runtime confidentiality, and runtime integrity, and ii) it is applicable to different TEE platforms and implementation-independent due to its high level of abstraction and non-determinism of data types. Note that access control policy and information flow control policy are the core for security management of resources. After formally specifying the security attributes of TEE resources, we develop these policies based on Common Criteria (CC) in the security monitor and provide atomic interfaces. <monospace>CVTEE</monospace> is formally verified with 386 lemmas/theorems and <inline-formula><tex-math notation="LaTeX">$\sim$</tex-math></inline-formula> 10,000 LOC of Isabelle/HOL. In addition, we implement a proof of concept for the access control module of Teaclave, and prove that the constructed access control model meets the security requirements through 5 theorems.

Sensitive resources in Trusted Execution Environment (TEE) have suffered serious security threats in recent years. Previous protection approaches either lack a strong assurance of TEE security properties or are limited to a single platform. We propose a compatible verified TEE architecture, called CVTEE, which delegates a security monitor to manage TEE resources securely. This architecture has two key advantages: i) its functional correctness and security are guaranteed by a machine-checkable proof of security objectives of Trusted Application (TA) isolation, runtime confidentiality, and runtime integrity, and ii) it is applicable to different TEE platforms and implementation-independent due to its high level of abstraction and non-determinism of data types. Note that access control policy and information flow control policy are the core for security management of resources. After formally specifying the security attributes of TEE resources, we develop these policies based on CC in the security monitor and provide atomic interfaces. CVTEE is formally verified with 386 lemmas/theorems and ~ 10,000 LOC of Isabelle/HOL. In addition, we implement a proof of concept for the access control module of Teaclave, and prove that the constructed access control model meets the security requirements through 5 theorems.

Access control mechanisms are widely used with the intent of enforcing confidentiality and other policies, but few formal connections have been made between information flow and access control. Java and C# are object-oriented languages that provide fine-grained access control. An access control list specifies local policy by authorizing permissions for principals (code sources) associated with class declarations; a mechanism called stack inspection checks permissions at run time. An example is given to show how this mechanism can be used to achieve confidentiality goals in situations where a single system call serves callers of differing confidentiality levels and dynamic access control prevents release of high information to low callers. A static analysis is given which applies to such examples. The analysis is shown to ensure a noninterference property formalizing confidentiality.

In connection with the process of implementation by the Federal Service for Technical and Export Control of Russia Information Security Requirements for Operating Systems, the work analyzes the ways of fulfilling the requirements of the functional component ADV_SPM.1 Formal Security Policy Model, including defining the language, depth and detail of the presentation of the access control policy and information flows. Among other things, proposals are given on the composition of the main elements of the model, the use of tools for its verification. The practical possibility of applying the proposed approaches is considered by the example of the presentation of the description and verification of the mandatory entity-role security model for logical access control and information flows as the basis of the access control mechanism in the special-purpose operating system Astra Linux Special Edition.

The Lack of security policy enforcement in Web development languages is one of the most important challenges in Web application systems development, as there is no formal check for security policy violation that may occur during Web application system development. To check for policy compliance, the programmer must walk through all the code and check every line to make sure that there are no security violations. For example, a developer may develop a Web application system connected to data base that seems to work properly, but it can make a certain security policy violation by permitting unauthorized users to access the data base system. This paper proposes a solution for the above problem by developing and application of a security typed Java servlet that can run on the Web server side safely. This servlet is developed by embedding the Java code produced by compiling the Java information flow language (Jif) (a security-typed programming language that extends Java with support for information flow control and access control, both at compile time and at run time) into a servlet code format. The code produced by compiling Jif language is security typed and support servlet with means of flow control and access control. Hence we can guarantee that when we run this servlet into a Web application system it will check input data trough the Web application system for security policy violation.

Making Data Flow

This volume contains the proceedings of the Fourth ACM Workshop on Formal Methods in Security Engineering (FMSE'06) held in Fairfax, Virginia, November 3rd 2006, in conjunction with the 13th ACM Conference on Computer and Communications Security.Information security has become a crucial concern for the commercial deployment of almost all applications and middleware. Although this is commonly recognized, the incorporation of security requirements in the software development process is not yet well understood. The deployment of security mechanisms is often ad hoc, without a formal security specification or analysis, and practically always without a formal security validation of the final product. Progress is being made, but there remains a wide gap between high-level security models and actual code development.The purpose of FMSE is to bring together researchers and practitioners from both the security and the software engineering communities, from academia and industry, who are working to apply formal methods to the design and validation of large-scale systems. The scope of the workshop -- as indicated by the call for papers -- covers the security and formal methods aspects of: security specification techniques, formal trust models, combination of formal techniques with semi-formal techniques like UML, formal analyses of specific security properties relevant to software development, security-preserving composition and refinement of processes, symbolic and computational models of security protocols, integration of security aspects into formal development methods and tools, access control policies, information flow, risk management and network security, formal analysis of firewalls and intrusion detection systems, trusted computing, and case studies.As for previous years, the paper selection process was very competitive. Our call for papers attracted 21 submissions from Asia, North Africa, Canada, Europe, Russia, and the United States. The program committee accepted 7 papers for presentation at the workshop. Many high-quality papers had to be rejected. In addition, the program includes invited talks from Joshua Guttman and Steve Zdancewic.

The call to ‘speak truth to power’, now employed most frequently as a banal protest trope or a generalized call to action, originates in the title of a pamphlet in which intellectual leaders of the Quaker faith opposed the ongoing Cold War and advocated its peaceful resolution. They offered an account of the polarization of the geopolitical landscape that moved beyond the continuing threat of horrific violence to reckon with what a contemporary economist might call the opportunity costs of militarization. Those costs were both moral and material; resources devoted to the production and strategic deployment of expensive weapons were resources that could not be devoted to improving standards of living for the world’s neediest people. For the writers, the most important kind of power was the power to choose between using American might to achieve military domination and using it to advance the cause of human wellbeing. The pamphlet authors’ appeal to the power to choose between domination andhuman flourishing remains fundamental, and yet their conceptions of both the exercise of domination and the exercise of principled resistance now seem dated in one critical respect. To understand both domination and resistance in the twenty-first century, we must take account of the ways that networked information technologies mediate the ongoing dialogue between truth and power. That relationship cannot be understood via simple deterministic equivalencies. Arguments about the freedom-enhancing potential of the network too often rely on a conception of networked information technologies as inherently connective and egalitarian in their operation, but they are neither. Between truth and poweris the code – the technical infrastructures that facilitate information flows between people, and between people and the entities that wield power in their lives – and the code has fractal effects on both power and truth. Code can become a means for resisting domination or a vehicle for embedding it, but even that formulation is too simple. Through its capacities to authorize, exclude and modulate information flows, code can become a means for multiplying and extending power, and for privatizing and fragmenting truth. The problem of control over information flows thus emerges as an importantvantage point from which to interrogate ‘the idea of Power itself, and its impact on [twenty-first] century life’. Although states do attempt to control information flows in various ways, this problem does not map neatly to the exercise of state power, nor does it map to traditional conceptions of power as (capacity for) physical force. Questions about the extent of private control of information flows also have become flash points for public anger about the capacity for self-determination, or lack thereof, enjoyed by ordinary people. Such anger is not frivolous; access to information and control of information are intimately related to the choice between domination and flourishing. Debates about state censorship are highly visible, but they represent only one piece of a larger puzzle, which concerns the extent to which global circuits of information flow are settling into patterns that serve larger constellations of economic and political power. Law and legal institutions are intimately involved in this process, and not only as a means of representation and resistance. Law too stands between truth and power, and code and law together have become tools for structuring contests over the material conditions of understanding, participation and self-determination. This chapter uses the evolving landscape of law and policy in the areas of copy-right and information privacy/data protection to explore the issues of control and power in the emerging networked information society. It considers three interrelated sets of developments. The second section describes patterns of information flow in the domains of copyright and information privacy/data protection, and considers the distinctive kinds of power relations that they are producing. The third section explores the evolving conceptualization of legal rights in the two domains, and traces the ways that the ongoing production and reproduction of private economic power are reshaping shared understandings of what the law guarantees. We see there that both copyright law and information privacy/data protection law have become entry points for neoliberalization within narratives about fundamental rights of authorship, cultural participation, and privacy. In the fourth section, we see that processes of neoliberalization do not involve only concepts. Pressures to reinforce private control of information flows are catalysing farreaching changes in the structure of governance institutions, altering not only the interpretation of fundamental legal guarantees but also the mechanisms by which legal rights and obligations are defined and enforced. A more systematic integration of questions about control over information flows within traditional legal narratives about fundamental rights and human development is urgently needed, but I argue that it is also important to consider the ways that established institutional pathwaysfor defining and vindicating rights and promoting development agendas are being circumvented by emerging networked governance institutions.

Role-based Access Control (RBAC) is one of the most widely implemented access control models. In today's complex computing systems, one of the increasingly sought-after features for reliable security is information flow control. Although RBAC is a policy-neutral and generic model, its implementations generally do not provide information flow control. In this paper, we present two approaches to address this issue. In the first method, we describe how a lattice model can be captured using an RBAC configuration. In the second method, we analyze the information flows in a given RBAC policy using a decentralized lattice model called Readers-Writers Flow Model. This method identifies the indirect information flows in the policy and helps in creating flow-secure RBAC policies. We discuss the scope and limitations of these methods in detail and also present a brief case study. Finally, we investigate the use of flow-secure RBAC policies in creating flow-secure Attribute-based Access Control (ABAC) policies.