Attacker Control and Impact for Confidentiality and Integrity

Aslan Askarov; Andrew Myers

doi:10.2168/LMCS-7(3:17)2011

Aslan Askarov ; Andrew Myers - Attacker Control and Impact for Confidentiality and Integrity

lmcs:987 - Logical Methods in Computer Science, September 26, 2011, Volume 7, Issue 3 - https://doi.org/10.2168/LMCS-7(3:17)2011

Attacker Control and Impact for Confidentiality and IntegrityArticle

Authors: Aslan Askarov ; Andrew Myers

Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been to define what security is guaranteed when such mechanisms are used. This paper presents a new semantic framework for expressing security policies for declassification and endorsement in a language-based setting. The key insight is that security can be characterized in terms of the influence that declassification and endorsement allow to the attacker. The new framework introduces two notions of security to describe the influence of the attacker.
Attacker control defines what the attacker is able to learn from observable effects of this code; attacker impact captures the attacker's influence on trusted locations. This approach yields novel security conditions for checked endorsements and robust integrity. The framework is flexible enough to recover and to improve on the previously introduced notions of robustness and qualified robustness. Further, the new security conditions can be soundly enforced by a security type system. The applicability and enforcement of the new policies is illustrated through various examples, including data sanitization and authentication.

https://doi.org/10.2168/LMCS-7(3:17)2011

Source: arXiv.org:1107.5594

Volume: Volume 7, Issue 3

Secondary volumes: Selected Papers of the 19th European Symposium on Programming (ESOP 2010)

Published on: September 26, 2011

Imported on: June 14, 2010

Keywords: Computer Science - Programming Languages, Computer Science - Cryptography and Security, D.3.3, D.4.6

Licence: arXiv.org - Non-exclusive license to distribute

Funding:

Source : OpenAIRE Graph

TC: Medium: Higher-Level Abstractions for Trustworthy Federated Systems; Funder: National Science Foundation; Code: 0964409
Team for Research in Ubiquitous Secure Technology (TRUST); Funder: National Science Foundation; Code: 0424422

Classifications

Mathematics Subject Classification 2020¹

Sources:

[1] zbMATH Open.

Bibliographic References

25 Documents citing this article

Ethan Cecchetti, 2025, Nonmalleable Progress Leakage, arXiv (Cornell University), pp. 537-552, 10.1109/csf64896.2025.00029, http://arxiv.org/abs/2505.12210.

Matvey Soloviev;Musard Balliu;Roberto Guanciale, 2024, Security Properties through the Lens of Modal Logic, 2024 IEEE 37th Computer Security Foundations Symposium (CSF), pp. 340-355, 10.1109/csf61375.2024.00009.

McKenna McCall;Abhishek Bichhawat;Limin Jia, 2023, Tainted Secure Multi-Execution to Restrict Attacker Influence, Figshare, pp. 1732-1745, 10.1145/3576915.3623110, https://figshare.com/articles/report/Restricting_Attacker_Influence_in_Reactive_Programs_with_Dynamic_Secrets/22296628.

Aditya Oak;Amir M. Ahmadian;Musard Balliu;Guido Salvaneschi, 2021, Language Support for Secure Software Development with Enclaves, KTH Publication Database DiVA (KTH Royal Institute of Technology), pp. 1-16, 10.1109/csf51468.2021.00037, http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-295509.

Jeppe Fredsgaard Blaabjerg;Aslan Askarov, 2021, Towards Language-Based Mitigation of Traffic Analysis Attacks, arXiv (Cornell University), abs 1812 955, pp. 1-15, 10.1109/csf51468.2021.00030, http://arxiv.org/abs/2106.12934.

Andrei Popescu;Peter Lammich;Ping Hou, 2020, CoCon: A Conference Management System with Formally Verified Document Confidentiality, Journal of Automated Reasoning, 65, 2, pp. 321-356, 10.1007/s10817-020-09566-9, https://doi.org/10.1007/s10817-020-09566-9.

Andrew K. Hirsch;Pedro H. Azevedo de Amorim;Ethan Cecchetti;Ross Tate;Owen Arden, 2020, First-Order Logic for Flow-Limited Authorization, arXiv (Cornell University), pp. 123-138, 10.1109/csf49147.2020.00017, http://arxiv.org/abs/2001.10630.

Johan Bay;Aslan Askarov, 2020, Reconciling progress-insensitive noninterference and declassification, arXiv (Cornell University), pp. 95-106, 10.1109/csf49147.2020.00015, http://arxiv.org/abs/2005.01977.

Mathias V. Pedersen;Stephen Chong, 2019, Programming with Flow-Limited Authorization: Coarser is Better, 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 63-78, 10.1109/eurosp.2019.00015.

N. V. Narendra Kumar;R. K. Shyamasundar, 2019, A Semantic Notion of Secure Information-Flow, Communications in computer and information science, pp. 35-52, 10.1007/978-981-13-7561-3_3.

Simon Gregersen;Søren Eller Thomsen;Aslan Askarov, 2019, A Dependently Typed Library for Static Information-Flow Control in Idris, Lecture notes in computer science, pp. 51-75, 10.1007/978-3-030-17138-4_3, https://doi.org/10.1007/978-3-030-17138-4_3.

Andrey Chudnov;David A. Naumann, 2018, Assuming You Know: Epistemic Semantics of Relational Annotations for Expressive Flow Policies, 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 189-203, 10.1109/csf.2018.00021.

R.K. Shyamasundar;N.V. Narendra Kumar;Abhijit Taware;Parjanya Vyas, 2018, An Experimental Flow Secure File System, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 10469, pp. 790-799, 10.1109/trustcom/bigdatase.2018.00113.

Ethan Cecchetti;Andrew C. Myers;Owen Arden, 2017, Nonmalleable Information Flow Control, arXiv (Cornell University), pp. 1875-1891, 10.1145/3133956.3134054, http://arxiv.org/abs/1708.08596.

Jed Liu;Owen Arden;Michael D. George;Andrew C. Myers, 2017, Fabric: Building open distributed systems securely by construction, Journal of Computer Security, 25, 4-5, pp. 367-426, 10.3233/jcs-15805.

Mounir Assaf;David A. Naumann, 2016, Calculational Design of Information Flow Monitors, 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 210-224, 10.1109/csf.2016.22.

Lin Yan;Yao Guo;Xiangqun Chen;Hong Mei, 2015, A Study on Power Side Channels on Mobile Devices, Proceedings of the 7th Asia-Pacific Symposium on Internetware, pp. 30-38, 10.1145/2875913.2875934.

Sergio Mauricio Martínez Monterrubio;Juan Frausto Solis;Raúl Monroy Borja, 2015, EMRlog Method for Computer Security for Electronic Medical Records with Logic and Data Mining, BioMed Research International, 2015, pp. 1-12, 10.1155/2015/542016, https://doi.org/10.1155/2015/542016.

Xun Gong;Negar Kiyavash, 2015, Quantifying the Information Leakage in Timing Side Channels in Deterministic Work-Conserving Schedulers, IEEE/ACM Transactions on Networking, 24, 3, pp. 1841-1852, 10.1109/tnet.2015.2438860.

Andrey Chudnov;George Kuan;David A. Naumann, 2014, Information Flow Monitoring as Abstract Interpretation for Relational Logic, 2014 IEEE 27th Computer Security Foundations Symposium, 5079, pp. 48-62, 10.1109/csf.2014.12.

Gilles Barthe;Gustavo Betarte;Juan Campo;Carlos Luna;David Pichardie, 2014, System-level Non-interference for Constant-time Cryptography, pp. 1267-1279, 10.1145/2660267.2660283.

Benjamin Venelle;Jeremy Briffaut;Laurent Clevy;Christian Toinard, 2013, Security Enhanced Java: Mandatory Access Control for the Java Virtual Machine, 16th IEEE International Symposium on Object/component/service-oriented Real-time distributed Computing (ISORC 2013), pp. 1-7, 10.1109/isorc.2013.6913208.

Musard Balliu, 2013, A Logic for Information Flow Analysis of Distributed Programs, KTH Publication Database DiVA (KTH Royal Institute of Technology), pp. 84-99, 10.1007/978-3-642-41488-6_6, http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-136195.

Owen Arden;Michael D. George;Jed Liu;K. Vikram;Aslan Askarov;Andrew C. Myers, 2012, Sharing Mobile Code Securely with Information Flow Control, 2012 IEEE Symposium on Security and Privacy, pp. 191-205, 10.1109/sp.2012.22.

Roberto Giacobazzi;Isabella Mastroeni, 2004, Abstract Non-Interference, ACM Transactions on Privacy and Security, 21, 1, pp. 1-197, 10.1145/3175660.

Sources : OpenCitations, OpenAlex & Crossref

Share and export

Consultation statistics

This page has been seen 3445 times.

This article's PDF has been downloaded 886 times.