Attacker Control and Impact for Confidentiality and Integrity

Abstract

Language-based information flow methods offer a principled way to enforcestrong security properties, but enforcing noninterference is too inflexible forrealistic applications. Security-typed languages have therefore introduceddeclassification mechanisms for relaxing confidentiality policies, andendorsement mechanisms for relaxing integrity policies. However, a continuingchallenge has been to define what security is guaranteed when such mechanismsare used. This paper presents a new semantic framework for expressing securitypolicies for declassification and endorsement in a language-based setting. Thekey insight is that security can be characterized in terms of the influencethat declassification and endorsement allow to the attacker. The new frameworkintroduces two notions of security to describe the influence of the attacker.Attacker control defines what the attacker is able to learn from observableeffects of this code; attacker impact captures the attacker's influence ontrusted locations. This approach yields novel security conditions for checkedendorsements and robust integrity. The framework is flexible enough to recoverand to improve on the previously introduced notions of robustness and qualifiedrobustness. Further, the new security conditions can be soundly enforced by asecurity type system. The applicability and enforcement of the new policies isillustrated through various examples, including data sanitization andauthentication