Language-Based Information-Flow Security. Richard Mancusi CSCI 297. References. Andrei Sabelfeld, Andrew C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communication, special issue on Formal Methods for Security, 21(1), January 2003, pages 5-19.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Andrei Sabelfeld, Andrew C. Myers.
Language-Based Information-Flow Security.
IEEE Journal on Selected Areas in
Communication, special issue on Formal
Methods for Security, 21(1), January 2003,
“A break-in at a government contractor's offices has opened 45,000 former and current employees and stockholders up to identity theft.”
SecurityInfoWatch.com, Feb 22, 2005
“…box of computer tapes containing information on 3.9 million customers was lost on May 2 by United Parcel Service…”
The New York Times, June 7, 2005
“…the security breach involves a computer virus that captured customer data…”
The Washington Post, June 18, 2005
“…the ability to prevent capabilities (and hence authority) from being transmitted improperly.”
A clear separation of confidential data from public data.
Problematic for security levels
“Confidentiality can be obtained by
by ensuring that the process sensitivity
label remains high throughout the rest
of the program.”
H := H mod 2;
L := 0;
if ( H == 1 )
L := 1Implicit Flows
For a given semantic model, noninterference is
formalized as follows: C is secure iff
Which reads: “If two input states share the same low values, then the behaviors of the program executed on these states are indistinguishable by the attacker.
Indicates the absence of any dependency between the program values which operate within a higher security context and the program values which have a lower security context.
h := 0; l := h;
With concurrency, values must be protected at
enter_critical(); h := 0; l := h; exit_critical()
(if h = 1 then C else skip); l := 1 || l := 0
Variations of security levels must be protected
during context swaps (difficult)
Encryption attacks are possible because the timing of failure with different values can lead an attacker to understand the true value of a key.
Prevent attacks by equalizing the time for successful and failed decryption.