Information flow in a distributed security setting

Information flow security is classically formulated in terms of the absence of illegal information flows, with respect to a security setting consisting of a single flow policy that specifies what information flows should be permitted in the system. In this paper we investigate the security issues th...

Full description

Saved in:
Bibliographic Details
Published in:arXiv.org 2019-01
Main Authors: Ana Almeida Matos, Cederquist, Jan
Format: Article
Language:English
Subjects:
Computation
Cybersecurity
Domains
Information flow
Interference
Migration
Policies
Properties (attributes)
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Information flow security is classically formulated in terms of the absence of illegal information flows, with respect to a security setting consisting of a single flow policy that specifies what information flows should be permitted in the system. In this paper we investigate the security issues that emerge in distributed security settings, where each computation domain establishes its own local security policy, and where programs may exhibit location-dependent behavior. In particular, we study the interplay between two distinct flow policy layers: the declared flow policy, established by the program itself, and the allowed flow policy, established externally to the program by each computation domain. We refine two security properties that articulate how the behaviors of programs comply to the respective flow policies: Distributed Non-disclosure, for enabling programs to declare locally scoped flow policies; and Flow Policy Confinement, for controlling the flow policies that are declared by programs. We present enforcement mechanisms that are based on type and effect systems, ranging from purely static mechanisms to hybrid combinations with dynamic migration control, for enforcing the above properties on an expressive ML-like language with concurrent threads and code migration, and which includes an allowed flow policy construct that dynamically tests the allowed flow policy of the current context. Finally, we show that the combination of the above two properties guarantees that actual information flows do not violate the relevant allowed flow policies. To this end we propose and use the Distributed Non-Interference property, a natural generalization of Non-Interference to a distributed security setting that ensures that information flows in a program respect the allowed flow policy of the domains where they originate.
ISSN:2331-8422