A lattice model of secure information flow
TL;DR: The model provides a unifying view of all systems that restrict information flow, enables a classification of them according to security objectives, and suggests some new approaches to formulating the requirements of secure information flow among security classes.
Abstract: This paper investigates mechanisms that guarantee secure information flow in a computer system. These mechanisms are examined within a mathematical framework suitable for formulating the requirements of secure information flow among security classes. The central component of the model is a lattice structure derived from the security classes and justified by the semantics of information flow. The lattice properties permit concise formulations of the security requirements of different existing systems and facilitate the construction of mechanisms that enforce security. The model provides a unifying view of all systems that restrict information flow, enables a classification of them according to security objectives, and suggests some new approaches. It also leads to the construction of automatic program certification mechanisms for verifying the secure flow of information through a program.
Citations
More filters
TL;DR: TaintDroid as mentioned in this paper is an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data by leveraging Android's virtualized execution environment.
Abstract: Today’s smartphone operating systems frequently fail to provide users with visibility into how third-party applications collect and share their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid enables realtime analysis by leveraging Android’s virtualized execution environment. TaintDroid incurs only 32p performance overhead on a CPU-bound microbenchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, in our 2010 study we found 20 applications potentially misused users’ private information; so did a similar fraction of the tested applications in our 2012 study. Monitoring the flow of privacy-sensitive data with TaintDroid provides valuable input for smartphone users and security service firms seeking to identify misbehaving applications.
2,983 citations
04 Oct 2010
TL;DR: Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, this work found 68 instances of misappropriation of users' location and device identification information across 20 applications.
Abstract: Today's smartphone operating systems frequently fail to provide users with adequate control over and visibility into how third-party applications use their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid provides realtime analysis by leveraging Android's virtualized execution environment. TaintDroid incurs only 14% performance overhead on a CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications. Monitoring sensitive data with TaintDroid provides informed use of third-party applications for phone users and valuable input for smartphone security service firms seeking to identify misbehaving applications.
2,379 citations
TL;DR: A structured view of research on information-flow security is given, particularly focusing on work that uses static program analysis to enforce information- flow policies, and some important open challenges are identified.
Abstract: Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow. Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Previously, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. In this paper, we survey the past three decades of research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. We give a structured view of work in the area and identify some important open challenges.
2,058 citations
Additional excerpts
...static certification [40], [62] noninterference [47], [49], [50]...
[...]
Book•
01 Jan 2001
TL;DR: In almost 600 pages of riveting detail, Ross Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables.
Abstract: Gigantically comprehensive and carefully researched, Security Engineering makes it clear just how difficult it is to protect information systems from corruption, eavesdropping, unauthorized use, and general malice. Better, Ross Anderson offers a lot of thoughts on how information can be made more secure (though probably not absolutely secure, at least not forever) with the help of both technologies and management strategies. His work makes fascinating reading and will no doubt inspire considerable doubt--fear is probably a better choice of words--in anyone with information to gather, protect, or make decisions about. Be aware: This is absolutely not a book solely about computers, with yet another explanation of Alice and Bob and how they exchange public keys in order to exchange messages in secret. Anderson explores, for example, the ingenious ways in which European truck drivers defeat their vehicles' speed-logging equipment. In another section, he shows how the end of the cold war brought on a decline in defenses against radio-frequency monitoring (radio frequencies can be used to determine, at a distance, what's going on in systems--bank teller machines, say), and how similar technology can be used to reverse-engineer the calculations that go on inside smart cards. In almost 600 pages of riveting detail, Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables. A terrific read for security professionals and general readers alike. --David Wall Topics covered: How some people go about protecting valuable things (particularly, but not exclusively, information) and how other people go about getting it anyway. Mostly, this takes the form of essays (about, for example, how the U.S. Air Force keeps its nukes out of the wrong hands) and stories (one of which tells of an art thief who defeated the latest technology by hiding in a closet). Sections deal with technologies, policies, psychology, and legal matters.
1,852 citations
01 Jan 1999
TL;DR: The new language JFlow is described, an extension to the Java language that adds statically-checked information flow annotations and provides several new features that make information flow checking more flexible and convenient than in previous models.
Abstract: A promising technique for protecting privacy and integrity of sensitive data is to statically check information flow within programs that manipulate the data. While previous work has proposed programming language extensions to allow this static checking, the resulting languages are too restrictive for practical use and have not been implemented. In this paper, we describe the new language JFlow, an extension to the Java language that adds statically-checked information flow annotations. JFlow provides several new features that make information flow checking more flexible and convenient than in previous models: a decentralized label model, label polymorphism, run-time label checking, and automatic label inference. JFlow also supports many language features that have never been integrated successfully with static information flow control, including objects, subclassing, dynamic type tests, access control, and exceptions. This paper defines the JFlow language and presents formal rules that are used to check JFlow programs for correctness. Because most checking is static, there is little code space, data space, or run-time overhead in the JFlow implementation.
1,160 citations
References
More filters
Book•
01 Jan 1967TL;DR: In this article, the authors present an abstract theory that categorically and systematically describes what all these machines can do and what they cannot do, giving sound theoretical or practical grounds for each judgment, and the abstract theory tells us in no uncertain terms that the machines' potential range is enormous and that its theoretical limitations are of the subtlest and most elusive sort.
Abstract: From the Preface (See Front Matter for full Preface)
Man has within a single generation found himself sharing the world with a strange new species: the computers and computer-like machines. Neither history, nor philosophy, nor common sense will tell us how these machines will affect us, for they do not do "work" as did machines of the Industrial Revolution. Instead of dealing with materials or energy, we are told that they handle "control" and "information" and even "intellectual processes." There are very few individuals today who doubt that the computer and its relatives are developing rapidly in capability and complexity, and that these machines are destined to play important (though not as yet fully understood) roles in society's future. Though only some of us deal directly with computers, all of us are falling under the shadow of their ever-growing sphere of influence, and thus we all need to understand their capabilities and their limitations.
It would indeed be reassuring to have a book that categorically and systematically described what all these machines can do and what they cannot do, giving sound theoretical or practical grounds for each judgment. However, although some books have purported to do this, it cannot be done for the following reasons: a) Computer-like devices are utterly unlike anything which science has ever considered---we still lack the tools necessary to fully analyze, synthesize, or even think about them; and b) The methods discovered so far are effective in certain areas, but are developing much too rapidly to allow a useful interpretation and interpolation of results. The abstract theory---as described in this book---tells us in no uncertain terms that the machines' potential range is enormous, and that its theoretical limitations are of the subtlest and most elusive sort. There is no reason to suppose machines have any limitations not shared by man.
2,219 citations
PARC1
TL;DR: A set of examples attempts to stake out the boundaries of the problem by defining a program during its execution so that it cannot transmit information to any other program except its caller.
Abstract: onfining a program during its execution so that it cannot transmit information to any other program except its caller. A set of examples attempts to stake out the boundaries of the problem. Necessary conditions for a solution are stated and informally justified.
1,459 citations
"A lattice model of secure informati..." refers background in this paper
...The usual solution to this problem is to prevent the service process from retaining any information, confidential or not, after it ceases to operate on behalf of a customer [1, 13, 16]....
[...]
...One is confinement: constraining a service process from leaking confidential information about a customer process [16]....
[...]
...a process's effect on the system load) [16]....
[...]
TL;DR: A model of protection mechanisms in computing systems is presented and its appropriateness is argued and it can be shown that this problem is decidable, i.e. there is an algorithm to determine whether a system in a particular configuration is safe.
Abstract: A model of protection mechanisms in computing systems is presented and its appropriateness is argued The “safety” problem for protection systems under this model is to determine in a given situation whether a subject can acquire a particular right to an object In restricted cases, it can be shown that this problem is decidable, ie there is an algorithm to determine whether a system in a particular configuration is safe In general, and under surprisingly weak assumptions, it cannot be decided if a situation is safe Various implications of this fact are discussed
1,162 citations
"A lattice model of secure informati..." refers background in this paper
...[12] have recently demonstrated that in general it may be undecidable whether an access right to an object will " leak" to a process in a system whose access control mechanism is modeled by an access matrix [11, 15]....
[...]
01 Nov 1973
TL;DR: The first results of an investigation into solutions to problems of security in computer systems are reported, establishing the basis for rigorous investigation by providing a general descriptive model of a computer system.
Abstract: : Set theory, Mathematical models, Computer information security, Computer privacy, Computer security, Systems theoryThe paper reports the first results of an investigation into solutions to problems of security in computer systems; it establishes the basis for rigorous investigation by providing a general descriptive model of a computer system. Borrowing basic concepts and constructs from general systems theory, the authors formed a basic result concerning security in computer systems, using precise notions of 'security' and 'compromise'. The authors also demonstrate how a change in requirements can be reflected in the resulting mathematical model. A lengthy introductory section is included in order to bridge the gap between general systems theory and practical problem solving.
1,052 citations