Protecting privacy using the decentralized label model

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Protecting privacy using the decentralized label model

Full text

Pdf (294 KB)

Source

ACM Transactions on Software Engineering and Methodology (TOSEM) archive
Volume 9 , Issue 4 (October 2000) table of contents

Pages: 410 - 442

Year of Publication: 2000

ISSN:1049-331X

Authors

Andrew C. Myers	Cornell Univ., Ithaca, NY
Barbara Liskov	Massachusetts Institute of Technology, Cambridge

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 19, Downloads (12 Months): 130, Citation Count: 50

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/363516.363526 What is a DOI?

ABSTRACT

Stronger protection is needed for the confidentiality and integrity of data, because programs containing untrusted code are the rule rather than the exception. Information flow control allows the enforcement of end-to-end security policies, but has been difficult to put into practice. This article describes the decentralized label model, a new label model for control of information flow in systems with mutual distrust and decentralized authority. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. It supports static program analysis of information flow, so that programs can be certified to permit only acceptable information flows, while largely avoiding the overhead of run-time checking. The article introduces the language Jif, an extension to Java that provides static checking of information flow using the decentralized label model.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Martín Abadi, Secrecy by Typing inSecurity Protocols, Proceedings of the Third International Symposium on Theoretical Aspects of Computer Software, p.611-638, September 23-26, 1997
	2	Martín Abadi , Anindya Banerjee , Nevin Heintze , Jon G. Riecke, A core calculus of dependency, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.147-160, January 20-22, 1999, San Antonio, Texas, United States [doi>10.1145/292540.292555]
	3	Johan Agat, Transforming out timing leaks, Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.40-53, January 19-21, 2000, Boston, MA, USA [doi>10.1145/325694.325702]
	4	Gregory R. Andrews , Richard P. Reitman, An Axiomatic Approach to Information Flow in Programs, ACM Transactions on Programming Languages and Systems (TOPLAS), v.2 n.1, p.56-76, Jan. 1980 [doi>10.1145/357084.357088]
	5	BELL, D. E. AND LAPADULA, L. J. 1976. Secure computer systems: Unified exposition and multics interpretation. Tech Rep. ESD-TR-75-306. MITRE Corp., Bedford, MA.
	6	BIBA, K. 1977. Integrity considerations for secure computer systems. Tech. Rep. ESD-TR-76-372. Electronic Systems Div., Air Force, Hanscom AFB, MA.
	7	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	8	Dorothy E. Denning , Peter J. Denning, Certification of programs for secure information flow, Communications of the ACM, v.20 n.7, p.504-513, July 1977 [doi>10.1145/359636.359712]
	9	U.S. DEPARTMENT OF DEFENSE. 1985. Trusted Computer System Evaluation Criteria. DoD 5200.28-STD.
	10	FEIERTAG, R. J. 1980. A technique for proving specifications are multilevel secure: Tech. Report CSL-109 (Jan.). Computer Science Laboratory, SRI International, Menlo Park, CA.
	11	R. J. Feiertag , K. N. Levitt , L. Robinson, Proving multilevel security of a system design, ACM SIGOPS Operating Systems Review, v.11 n.5, p.57-65, November 1977
	12	FENTON, J. S. 1973. Information protection systems. Ph.D. Dissertation. University of Cambridge, Cambridge, UK.
	13	FENTON, J. S. 1974. Memoryless subsystems. Computing 17, 2 (May), 143-147.
	14	E. Ferrari , P. Samarati , E. Bertino , S. Jajodia, Providing flexibility in information flow control for object oriented systems, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.130, May 04-07, 1997
	15	Riccardo Focardi , Roberto Gorrieri, The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties, IEEE Transactions on Software Engineering, v.23 n.9, p.550-571, September 1997 [doi>10.1109/32.629493]
	16	GOGUEN, J. A. AND MESEGUER, J. 1982. Security policies and security models. In Proceedings of the 1982 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 11-20.
	17	GOGUEN, J. A. AND MESEGUER, J. 1984. Unwinding and inference control. In Proceedings of the IEEE Symposium on Security and Privacy (Apr.). 75-86.
	18	James Gosling , Bill Joy , Guy L. Steele, The Java Language Specification, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1996
	19	GRAY, J. W. I. 1990. Probabilistic interference. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 170-179.
	20	GRAY, J. W. I. 1991. Towards a mathematical foundation for information flow security. In Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, CA, 21-34.
	21	Nevin Heintze , Jon G. Riecke, The SLam calculus: programming with secrecy and integrity, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.365-377, January 19-21, 1998, San Diego, California, United States [doi>10.1145/268946.268976]
	22	M. H. Kang , I. S. Moskowitz , D. C. Lee, A network version of the Pump, Proceedings of the 1995 IEEE Symposium on Security and Privacy, p.144, May 08-10, 1995
	23	KARGER, P. A. AND WRAY, J. C. 1991. Storage channels in disk arm optimization. In Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy (May). IEEE Computer Society Press, Los Alamitos, CA.
	24	Butler Lampson , Martín Abadi , Michael Burrows , Edward Wobber, Authentication in distributed systems: theory and practice, Proceedings of the thirteenth ACM symposium on Operating systems principles, p.165-182, October 13-16, 1991, Pacific Grove, California, United States
	25	Tim Lindholm , Frank Yellin, Java Virtual Machine Specification, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1999
	26	MCCOLLUM, C. J., MESSING, J. R., AND NOTARGIACOMO, L. 1990. Beyond the pale of MAC and DAC--Defining new forms of access control. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 190-200.
	27	MCCULLOUGH, D. 1987. Specifications for multi-level security and a hook-up property. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May). 161-166.
	28	M. D. McIlroy , J. A. Reeds, Multilevel security in the UNIX tradition, Software—Practice & Experience, v.22 n.8, p.673-694, Aug. 1992 [doi>10.1002/spe.4380220805]
	29	MCLEAN, J. 1990. Security models and information flow. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 180-187.
	30	John McLean, A General Theory of Composition for Trace Sets Closed under Selective Interleaving Functions, Proceedings of the 1994 IEEE Symposium on Security and Privacy, p.79, May 16-18, 1994
	31	Jonathan K. Millen, Security Kernel validation in practice, Communications of the ACM, v.19 n.5, p.243-250, May 1976 [doi>10.1145/360051.360059]
	32	MILLEN, J. K. 1981. Information flow analysis of formal specifications. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 3-8.
	33	MILLEN, J. K. 1987. Covert channel capacity. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May).
	34	Greg Morrisett , David Walker , Karl Crary , Neal Glew, From system F to typed assembly language, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.85-97, January 19-21, 1998, San Diego, California, United States [doi>10.1145/268946.268954]
	35	Andrew C. Myers, JFlow: practical mostly-static information flow control, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.228-241, January 20-22, 1999, San Antonio, Texas, United States [doi>10.1145/292540.292561]
	36	Andrew C. Myers , Barbara Liskov, Mostly-static decentralized information flow control, 1999
	37	MYERS, A. C. AND LISKOV, B. 1998. Complete, safe information flow with decentralized labels. In Proceedings of the 1998 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA.
	38	George C. Necula, Proof-carrying code, Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.106-119, January 15-17, 1997, Paris, France [doi>10.1145/263699.263712]
	39	Jens Palsberg , Peter Ørbæk, Trust in the lambda-Calculus, Proceedings of the Second International Symposium on Static Analysis, p.314-329, September 25-27, 1995
	40	François Pottier , Sylvain Conchon, Information flow inference for free, Proceedings of the fifth ACM SIGPLAN international conference on Functional programming, p.46-57, September 2000
	41	Ravi S. Sandhu, Role Hierarchies and Constraints for Lattice-Based Access Controls, Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security, p.65-79, September 25-27, 1996
	42	Geoffrey Smith , Dennis Volpano, Secure information flow in a multi-threaded imperative language, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.355-364, January 19-21, 1998, San Diego, California, United States [doi>10.1145/268946.268975]
	43	STOUGHTON, A. 1981. Access flow: A protection model which integrates access control and information flow. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 9-18.
	44	SUTHERLAND, D. 1986. A model of information. In Proceedings on 9th National Security Conference (Gaithersburg, MD). 175-183.
	45	Dennis Volpano , Cynthia Irvine , Geoffrey Smith, A sound type system for secure flow analysis, Journal of Computer Security, v.4 n.2-3, p.167-187, Jan. 1996
	46	WITTBOLD, J. T. AND JOHNSON, D. M. 1990. Information flow in nondeterministic systems. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 144-161.
	47	A. Zakinthinos , E. S. Lee, A general theory of security properties, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.94, May 04-07, 1997

CITED BY 50

	Steve Zdancewic , Lantian Zheng , Nathaniel Nystrom , Andrew C. Myers, Untrusted hosts and confidentiality: secure program partitioning, ACM SIGOPS Operating Systems Review, v.35 n.5, Dec. 2001
	R. Barbuti , C. Bernardeschi , N. De Francesco, Abstract interpretation of operational semantics for secure information flow, Information Processing Letters, v.83 n.2, p.101-108, 31 July 2002
	Steve Zdancewic , Lantian Zheng , Nathaniel Nystrom , Andrew C. Myers, Secure program partitioning, ACM Transactions on Computer Systems (TOCS), v.20 n.3, p.283-328, August 2002
	R. Sekar , V.N. Venkatakrishnan , Samik Basu , Sandeep Bhatkar , Daniel C. DuVarney, Model-carrying code: a practical approach for safe execution of untrusted applications, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	Shih-Chien Chou, Embedding role-based access control model in object-oriented systems to protect privacy, Journal of Systems and Software, v.71 n.1-2, p.143-161, April 2004
	Shih-Chien Chou, Providing flexible access control to an information flow control model, Journal of Systems and Software, v.73 n.3, p.425-439, November-December 2004
	V. N. Venkatakrishnan , Ram Peri , R. Sekar, Empowering mobile code using expressive security policies, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia
	Peng Li , Steve Zdancewic, Downgrading policies and relaxed noninterference, ACM SIGPLAN Notices, v.40 n.1, p.158-170, January 2005
	Shih-Chien Chou , An-Feng Liu , Chien-Jung Wu, Preventing information leakage within workflows that execute among competing organizations, Journal of Systems and Software, v.75 n.1-2, p.109-123, 15 February 2005
	Shih-Chien Chou, An agent-based inter-application information flow control model, Journal of Systems and Software, v.75 n.1-2, p.179-187, 15 February 2005
	Mark D. Corner , Brian D. Noble, Protecting applications with transient authentication, Proceedings of the 1st international conference on Mobile systems, applications and services, p.57-70, May 05-08, 2003, San Francisco, California
	Petros Efstathopoulos , Maxwell Krohn , Steve VanDeBogart , Cliff Frey , David Ziegler , Eddie Kohler , David Mazières , Frans Kaashoek , Robert Morris, Labels and event processes in the asbestos operating system, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
	Shih-Chien Chou , Chin-Yi Chang, An information flow control model for C applications based on access control lists, Journal of Systems and Software, v.78 n.1, p.84-100, October 2005
	Shih-Chien Chou , Wei-Chuan Hsu , Wei-Kuang Lo, DPE/PAC: decentralized process engine with product access control, Journal of Systems and Software, v.76 n.3, p.207-219, June 2005
	Andrew C. Myers , Andrei Sabelfeld , Steve Zdancewic, Enforcing robust declassification and qualified robustness, Journal of Computer Security, v.14 n.2, p.157-196, January 2006
	Libin Wang , Kefei Chen, Comments on a theorem on grid access control, Future Generation Computer Systems, v.22 n.4, p.381-384, March 2006
	Shih-Chien Chou , Yuan-Chien Chen, Managing role relationships in an information flow control model, Journal of Systems and Software, v.79 n.4, p.507-522, April 2006
	Chuchang Liu , Mehmet A. Orgun, Towards security labelling, Proceedings of the 29th Australasian Computer Science Conference, p.69-76, January 16-19, 2006, Hobart, Australia
	Cédric Fournet , Andrew D. Gordon , Sergio Maffeis, A type discipline for authorization policies, ACM Transactions on Programming Languages and Systems (TOPLAS), v.29 n.5, p.25-es, August 2007
	Stephen Chong , K. Vikram , Andrew C. Myers, SIF: enforcing confidentiality and integrity in web applications, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	Steve Vandebogart , Petros Efstathopoulos , Eddie Kohler , Maxwell Krohn , Cliff Frey , David Ziegler , Frans Kaashoek , Robert Morris , David Mazières, Labels and event processes in the Asbestos operating system, ACM Transactions on Computer Systems (TOCS), v.25 n.4, p.11-es, December 2007
	Shih-Chien Chou, Preventing information leakage in C applications using RBAC-based model, Proceedings of the 5th WSEAS International Conference on Software Engineering, Parallel and Distributed Systems, p.169-173, February 15-17, 2006, Madrid, Spain
	Boniface Hicks , Sandra Rueda , Trent Jaeger , Patrick McDaniel, From trusted to secure: building and executing applications that enforce system security, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
	Neil Vachharajani , Matthew J. Bridges , Jonathan Chang , Ram Rangan , Guilherme Ottoni , Jason A. Blome , George A. Reis , Manish Vachharajani , David I. August, RIFLE: An Architectural Framework for User-Centric Information-Flow Security, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.243-254, December 04-08, 2004, Portland, Oregon
	S. H. K. Narayanan , M. Kandemir , R. Brooks, Performance aware secure code partitioning, Proceedings of the conference on Design, automation and test in Europe, April 16-20, 2007, Nice, France
	Brian J. Corcoran , Nikhil Swamy , Michael Hicks, Cross-tier, label-based security enforcement for web applications, Proceedings of the 35th SIGMOD international conference on Management of data, June 29-July 02, 2009, Providence, Rhode Island, USA
	Tom Chothia , Dominic Duggan , Ye Wu, An End-To-End Approach to Distributed Policy Language Implementation, Electronic Notes in Theoretical Computer Science (ENTCS), v.171 n.4, p.3-21, July, 2007
	Tanvir Ahmed , Anand R. Tripathi, Specification and verification of security requirements in a programming model for decentralized CSCW systems, ACM Transactions on Information and System Security (TISSEC), v.10 n.2, p.7-es, May 2007
	Janus Dam Nielsen , Michael I. Schwartzbach, A domain-specific programming language for secure multiparty computation, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA
	Chuchang Liu , Angela Billard , Maris Ozols , Nikifor Jeremic, Access control models and security labelling, Proceedings of the thirtieth Australasian conference on Computer science, p.181-190, January 30-February 02, 2007, Ballarat, Victoria, Australia
	Stephen Tse , Steve Zdancewic, Run-time principals in information-flow type systems, ACM Transactions on Programming Languages and Systems (TOPLAS), v.30 n.1, p.6-es, November 2007
	Feng Qin , Cheng Wang , Zhenmin Li , Ho-seop Kim , Yuanyuan Zhou , Youfeng Wu, LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks, Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, p.135-148, December 09-13, 2006
	Petros Efstathopoulos , Eddie Kohler, Manageable fine-grained information flow, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
	Nickolai Zeldovich , Silas Boyd-Wickizer , David Mazières, Securing distributed systems with information flow control, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.293-308, April 16-18, 2008, San Francisco, California
	Andrea Bittau , Petr Marchenko , Mark Handley , Brad Karp, Wedge: splitting applications into reduced-privilege compartments, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.309-322, April 16-18, 2008, San Francisco, California
	Sandra Rueda , Dave King , Trent Jaeger, Verifying compliance of trusted programs, Proceedings of the 17th conference on Security symposium, p.321-334, July 28-August 01, 2008, San Jose, CA
	Maxwell Krohn , Alexander Yip , Micah Brodsky , Natan Cliffer , M. Frans Kaashoek , Eddie Kohler , Robert Morris, Information flow control for standard OS abstractions, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
	Stephen Chong , Jed Liu , Andrew C. Myers , Xin Qi , K. Vikram , Lantian Zheng , Xin Zheng, Secure web application via automatic partitioning, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
	Nickolai Zeldovich , Silas Boyd-Wickizer , Eddie Kohler , David Mazières, Making information flow explicit in HiStar, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
	Lin Tan , Ding Yuan , Gopal Krishna , Yuanyuan Zhou, /icomment: bugs or bad comments?/, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
	Cédric Fournet , Tamara Rezk, Cryptographically sound implementations for typed information-flow security, ACM SIGPLAN Notices, v.43 n.1, January 2008
	Annalisa Bossi , Carla Piazza , Sabina Rossi, Compositional information flow security for concurrent programs, Journal of Computer Security, v.15 n.3, p.373-416, August 2007
	Janne Lindqvist , Juha-Matti Tapio, Protecting privacy with protocol stack virtualization, Proceedings of the 7th ACM workshop on Privacy in the electronic society, October 27-27, 2008, Alexandria, Virginia, USA
	Alejandro Russo , Koen Claessen , John Hughes, A library for light-weight information-flow security in haskell, Proceedings of the first ACM SIGPLAN symposium on Haskell, September 25-25, 2008, Victoria, BC, Canada
	Stephen Chong , Jed Liu , Andrew C. Myers , Xin Qi , K. Vikram , Lantian Zheng , Xin Zheng, Building secure web applications with automatic partitioning, Communications of the ACM, v.52 n.2, February 2009
	Ziqing Mao , Ninghui Li , Hong Chen , Xuxian Jiang, Trojan horse resistant discretionary access control, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
	Toshihiro Yokoyama , Miyuki Hanaoka , Makoto Shimamura , Kenji Kono, Simplifying security policy descriptions for internet servers in secure operating systems, Proceedings of the 2009 ACM symposium on Applied Computing, March 08-12, 2009, Honolulu, Hawaii
	Marco Serafini , Neeraj Suri, Reducing the costs of large-scale BFT replication, Proceedings of the 2nd Workshop on Large-Scale Distributed Systems and Middleware, September 15-17, 2008, Yorktown Heights, New York
	Prince Mahajan , Ramakrishna Kotla , Catherine C. Marshall , Venugopalan Ramasubramanian , Thomas L. Rodeheffer , Douglas B. Terry , Ted Wobber, Effective and efficient compromise recovery for weakly consistent replication, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany
	Musard Balliu , Isabella Mastroeni, A weakest precondition approach to active attacks analysis, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, June 15-21, 2009, Dublin, Ireland

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection
Subjects: Information flow controls

General Terms:
Languages, Security

Keywords:
confidentiality, declassification, downgrading, end-to-end, information flow controls, integrity, lattice, policies, principals, roles, type checking

REVIEW

"Jonathan K. Millen : Reviewer"

The decentralized label model is a policy for labeling data in a computer system to preserve confidentiality and integrity. Its philosophical roots are in the Denning lattice model, in which static analysis of programming language statements more...

Collaborative Colleagues:

Andrew C. Myers: colleagues

Barbara Liskov: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player