TY - GEN
T1 - Trusted declassification
T2 - PLAS 2006 - 2006 Programming Languages and Analysis for Security Workshop
AU - Hicks, Boniface
AU - King, Dave
AU - McDaniel, Patrick
AU - Hicks, Michael
PY - 2006
Y1 - 2006
N2 - Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterference which ensures that high-security data will not be observable on low-security channels. Because noninterference is typically too strong a property, most programs use some form of declassification to selectively leak high security information, e.g. when performing a password check or data encryption. Unfortunately, such a declassification is often expressed as an operation within a given program, rather than as part of a global policy, making reasoning about the security implications of a policy more difficult. In this paper, we propose a simple idea we call trusted declassification in which special declassifier functions are specified as part of the global policy. In particular, individual principals declaratively specify which declassifies they trust so that all information flows implied by the policy can be reasoned about in absence of a particular program. We formalize our approach for a Java-like language and prove a modified form of noninterference which we call noninterference modulo trusted methods. We have implemented our approach as an extension to Jif and provide some of our experience using it to build a secure e-mail client.
AB - Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterference which ensures that high-security data will not be observable on low-security channels. Because noninterference is typically too strong a property, most programs use some form of declassification to selectively leak high security information, e.g. when performing a password check or data encryption. Unfortunately, such a declassification is often expressed as an operation within a given program, rather than as part of a global policy, making reasoning about the security implications of a policy more difficult. In this paper, we propose a simple idea we call trusted declassification in which special declassifier functions are specified as part of the global policy. In particular, individual principals declaratively specify which declassifies they trust so that all information flows implied by the policy can be reasoned about in absence of a particular program. We formalize our approach for a Java-like language and prove a modified form of noninterference which we call noninterference modulo trusted methods. We have implemented our approach as an extension to Jif and provide some of our experience using it to build a secure e-mail client.
UR - http://www.scopus.com/inward/record.url?scp=33745957768&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33745957768&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:33745957768
SN - 1595933743
SN - 9781595933744
T3 - PLAS 2006 - Proceedings of the 2006 Programming Languages and Analysis for Security Workshop
SP - 65
EP - 74
BT - PLAS 2006 - Proceedings of the 2006 Programming Languages and Analysis for Security Workshop
Y2 - 10 June 2006 through 10 June 2006
ER -