Policies and Mechanisms for Securing Information Release
Doktorsavhandling, 2009
Security assurance is an important challenge for modern
computing. Intentional information release (declassification) is often
crucial for such assurance. Security-critical systems demand
expressive policies for information release that are beyond what
conventional security models may offer.
This thesis studies practical and theoretical aspects of information
release. It starts with a case study of implementing a
declassification-intensive security protocol in a security-typed
language. This, largest up to the publication date, case study
suggests patterns for secure programming and demonstrates the
multifaceted nature of declassification: from near-innocent relabeling
of a ciphertext to potentially dangerous release of secret keys.
The thesis further explores different aspects of information
release. We present a policy cryptographically-masked flows that
enables reasoning about information flow in the presence of encryption,
decryption, and key generation. We propose a type system that
enforces security for a small imperative language with cryptographic
primitives, which prevents dangerous program behavior such as giving
away a secret key or confusing keys and non-keys. This approach is
exemplified with secure implementations of cryptographic protocols.
To facilitate reasoning about release of keys, the thesis suggests an
attacker-centric model of gradual release that formalizes a concept of
attacker’s knowl- edge. The essence of gradual release is that during
a program run the knowledge should not change unless caused by an
explicit declassification. This turns out to be a powerful foundation
for release policies, which we demonstrate by formally connecting
revelation-based and encryption-based declassification. We also show
how gradual release can be enforced by security types and effects.
Addressing one aspect of declassification while leaving out the others
would not be quite adequate. We present two conditions that can
express both what is released and where in code release happens. For
one of them, we give a conventional definition and show that a security
type system from the literature (which was designed for treating the
what aspect) in fact enforces the combination of what and where
policies. The other one is a general framework for rich
information-release policies. We present tight and modular enforcement
by hybrid mechanisms that combine monitoring with on-the-fly program
analysis for a language with dynamic code evaluation and communication
primitives.
The thesis also analyzes security guarantees for programs with
communication primitives if one ignores termination leaks — an
assumption often made by the existing information-flow tools. We
develop a definition of termination-insensitive noninterference
suitable for reasoning about such programs which generalises
traditional “batch-job” style definitions and is satisfied by a
Denning-style program analysis. Although more than a bit of
information can be leaked by programs satisfying this condition, we
show that the best an attacker can do is a brute-force attack. If we
further assume uniform distribution of secrets, we show that the
advantage the attacker gains when guessing the secret after observing
a polynomial amount of output is negligible in the size of the secret.
EDIT blgd, room EE, floor 6
Opponent: Prof. David Basin, Department of Computer Science, ETH Zurich, Switzerland