Policies and Mechanisms for Securing Information Release

Doktorsavhandling, 2009

Security assurance is an important challenge for modern computing. Intentional information release (declassification) is often crucial for such assurance. Security-critical systems demand expressive policies for information release that are beyond what conventional security models may offer. This thesis studies practical and theoretical aspects of information release. It starts with a case study of implementing a declassification-intensive security protocol in a security-typed language. This, largest up to the publication date, case study suggests patterns for secure programming and demonstrates the multifaceted nature of declassification: from near-innocent relabeling of a ciphertext to potentially dangerous release of secret keys. The thesis further explores different aspects of information release. We present a policy cryptographically-masked flows that enables reasoning about information flow in the presence of encryption, decryption, and key generation. We propose a type system that enforces security for a small imperative language with cryptographic primitives, which prevents dangerous program behavior such as giving away a secret key or confusing keys and non-keys. This approach is exemplified with secure implementations of cryptographic protocols. To facilitate reasoning about release of keys, the thesis suggests an attacker-centric model of gradual release that formalizes a concept of attacker’s knowl- edge. The essence of gradual release is that during a program run the knowledge should not change unless caused by an explicit declassification. This turns out to be a powerful foundation for release policies, which we demonstrate by formally connecting revelation-based and encryption-based declassification. We also show how gradual release can be enforced by security types and effects. Addressing one aspect of declassification while leaving out the others would not be quite adequate. We present two conditions that can express both what is released and where in code release happens. For one of them, we give a conventional definition and show that a security type system from the literature (which was designed for treating the what aspect) in fact enforces the combination of what and where policies. The other one is a general framework for rich information-release policies. We present tight and modular enforcement by hybrid mechanisms that combine monitoring with on-the-fly program analysis for a language with dynamic code evaluation and communication primitives. The thesis also analyzes security guarantees for programs with communication primitives if one ignores termination leaks — an assumption often made by the existing information-flow tools. We develop a definition of termination-insensitive noninterference suitable for reasoning about such programs which generalises traditional “batch-job” style definitions and is satisfied by a Denning-style program analysis. Although more than a bit of information can be leaked by programs satisfying this condition, we show that the best an attacker can do is a brute-force attack. If we further assume uniform distribution of secrets, we show that the advantage the attacker gains when guessing the secret after observing a polynomial amount of output is negligible in the size of the secret.