On Dynamic Flow-Sensitive Floating-Label Systems
Paper in proceedings, 2014
Flow-sensitive analysis for information-flow control
(IFC) allows data structures to have mutable security
labels, i.e., labels that can change over the course of the computation.
This feature is often used to boost the permissiveness
of the IFC monitor, by rejecting fewer programs, and to reduce
the burden of explicit label annotations. However, when added
naively, in a purely dynamic setting, mutable labels can expose
a high bandwidth covert channel. In this work, we present an
extension for LIO—a language-based floating-label system—
that safely handles flow-sensitive references. The key insight
to safely manipulating the label of a reference is to not only
consider the label on the data stored in the reference, i.e.,
the reference label, but also the label on the reference label
itself. Taking this into consideration, we provide an upgrade
primitive that can be used to change the label of a reference in
a safe manner. To eliminate the burden of determining when
a reference should be upgraded, we additionally provide a
mechanism for automatic upgrades. Our approach naturally
extends to a concurrent setting, not previously considered by
dynamic flow-sensitive systems. For both our sequential and
concurrent calculi, we prove non-interference by embedding
the flow-sensitive system into the flow-insensitive LIO calculus,
a surprising result on its own.
language-based security
flow sensitivity
information-flow control
dynamic enforcement
floating label