From Expressive Tags to System Security Policies

Abstract

An alternative to associating policy specific guards with operations—the standard way today to enforce security policies in systems—is to associate policy specific security labels with pieces of information. The labels specify how the tagged information may and may not be used. Reactive Information Flow (RIF) labels are an expressive class of such policy specific security labels. RIF labels allow restrictions assigned to the output of an operation op(x1, x2, . . . , xn) to depend on the operator op and on the restrictions associated with inputs x1, x2, ..., xn. This allows the value produced by op(x1, x2, . . . , xn) to be assigned fewer restrictions, additional restrictions, or an incomparable set of restrictions than are being associated with x1, x2, ..., xn. Confidentiality, integrity and use based privacy all can be supported. When RIF labels serve as types for values and variables then type correctness of a program should enable inference about security properties that program exhibits. Under the auspices of the requested funding, deductive apparatus for making those inferences will be developed. A type system based on Kleene Algebra with Tests will be the starting point. Other classes of RIF labels will be explored, too. Dynamic enforcement mechanisms for RIF labels will also be explored. Although these incur run time costs, dynamic enforcement mechanisms need not be as conservative as static type checking. An enforcement mechanism that works by blocking an execution can leak sensitive information, however. A new family of block safe dynamic enforcement mechanisms that avoids leaks has recently been developed. It uses chains of classical information flow labels but depends on assumptions inconsistent with RIF labels. This project will investigate how block safe enforcement mechanisms might be extended to handle RIF labels and reclassification.

Document Details

Document Type
DoD Grant Award
Publication Date
Jan 14, 2022
Source ID
FA95501910264

Entities

People

  • Fred B. Schneider

Organizations

  • Air Force Office of Scientific Research
  • Cornell University
  • United States Air Force

Tags

Fields of Study

  • Computer science

Readers

  • Computational Linguistics
  • Cybersecurity.
  • Mathematical Modeling and Probability Theory.

Technology Areas

  • AI & ML