A Model for Delimited Information Release

Abstract

Much work on security-typed languages lacks a satisfactory account of intentional information release. In the context of confidentiality, a typical security guarantee provided by security type systems is noninterference, which allows no information flow from secret inputs to public outputs. However, many intuitively secure programs do allow some release, or declassification, of secret information (e.g., password checking, information purchase, and spreadsheet computation). Noninterference fails to recognize such programs as secure. In this respect, many security type systems enforcing noninterference are impractical. On the other side of the spectrum are type systems designed to accommodate some information leakage. However, there is often little or no guarantee about what is actually being leaked. As a consequence, such type systems are vulnerable to laundering attacks, which exploit declassification mechanisms to reveal more secret data than intended. To bridge this gap, this paper introduces a new security property, delimited release, an end-to-end guarantee that declassification cannot be exploited to construct laundering attacks. In addition, a security type system is given that straightforwardly and provably enforces delimited release.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2004
Accession Number
AD1022058

Entities

People

  • Andrei Sabelfeld
  • Andrew C. Myers

Organizations

  • Cornell University

Tags

DTIC Thesaurus Topics

  • Computations
  • Computer Science
  • Computers
  • Cryptography
  • Cybersecurity
  • Databases
  • Environment
  • Guarantees
  • Information Theory
  • Language
  • Military Research
  • Notation
  • Robotics
  • Security
  • Security Protocols
  • Specifications
  • Standards

Fields of Study

  • Computer science
  • Mathematics

Readers

  • Cybersecurity.
  • Database Systems and Applications