Policies and Mechanisms for Securing Information Release

Abstract: Security assurance is an important challenge for modern computing. Intentional information release (declassi?cation) is often crucial for such assurance. Security-critical systems demand expressive policies for information release that are beyond what conventional security models may offer. This thesis studies practical and theoretical aspects of information release. It starts with a case study of implementing a declassi?cation-intensive security protocol in a security-typed language. This, largest up to the publication date, case study suggests patterns for secure programming and demonstrates the multifaceted nature of declassi?cation: from near-innocent relabeling of a ciphertext to potentially dangerous release of secret keys. The thesis further explores different aspects of information release. We present a policy cryptographically-masked ?ows that enables reasoning about information ?ow in the presence of encryption, decryption, and key generation. We propose a type system that enforces security for a small imperative language with cryptographic primitives, which prevents dangerous program behavior such as giving away a secret key or confusing keys and non-keys. This approach is exempli?ed with secure implementations of cryptographic protocols. To facilitate reasoning about release of keys, the thesis suggests an attacker-centric model of gradual release that formalizes a concept of attacker’s knowl- edge. The essence of gradual release is that during a program run the knowledge should not change unless caused by an explicit declassi?cation. This turns out to be a powerful foundation for release policies, which we demonstrate by formally connecting revelation-based and encryption-based declassi?cation. We also show how gradual release can be enforced by security types and effects. Addressing one aspect of declassi?cation while leaving out the others would not be quite adequate. We present two conditions that can express both what is released and where in code release happens. For one of them, we give a conventional de?nition and show that a security type system from the literature (which was designed for treating the what aspect) in fact enforces the combination of what and where policies. The other one is a general framework for rich information-release policies. We present tight and modular enforcement by hybrid mechanisms that combine monitoring with on-the-?y program analysis for a language with dynamic code evaluation and communication primitives. The thesis also analyzes security guarantees for programs with communication primitives if one ignores termination leaks — an assumption often made by the existing information-?ow tools. We develop a de?nition of termination-insensitive noninterference suitable for reasoning about such programs which generalises traditional “batch-job” style de?nitions and is satis?ed by a Denning-style program analysis. Although more than a bit of information can be leaked by programs satisfying this condition, we show that the best an attacker can do is a brute-force attack. If we further assume uniform distribution of secrets, we show that the advantage the attacker gains when guessing the secret after observing a polynomial amount of output is negligible in the size of the secret.