Dynamic security policies
This thesis investigates the specification and the application of dynamic security policies in information-flow type systems. ^ In traditional information-flow type systems, programmers specify security policies as type annotations, and the type checker guarantees the confidentiality of secret variables by ruling out information leaks at compile time. These security policies state simply that high-security data does not affect low-security computation. Because they offer an explicit and declarative means of writing down policies, these type systems are attractive for specifying strong security constraints on software. ^ But practical systems interact with their dynamic environment via authentication and access control checks. Security policies in such systems necessarily involve principals and their privileges known only at run time. The challenge to existing security-typed languages is both practical and theoretical: What language constructs are necessary to connect the static information-flow analysis and the dynamic security environment? What formal theorems can be proved to guarantee the security properties of program written in the new language? ^ This dissertation aims to study the foundation and the application of information-flow analysis involving dynamic principals and dynamic delegation. Towards this goal, the author has developed new language constructs, formalized their semantics, proved the soundness of the analysis, implemented the analysis for a practical Java subset, and, finally, built and verified a prototype of a medical information system. ^ The main technical ideas behind the analysis are representation types and subtype refinement from type theory. A dynamic principal is represented with a special term that has a singleton type with an abstract type variable; a dynamic delegation is tested at a conditional branch so that the ordering of principals is statically refined at the success branch. These two ideas, combined with universal and existential quantification, allow the compile-time analysis to precisely track the principal identities and delegation constraints available at run time. ^ The main theoretical contribution is a generalized version of the standard noninterference theorem to account for dynamic delegation and downgrading. The intuition is that any delegation or explicit downgrading is witnessed by an external form of justification, namely certificates in our case. By ruling out certificates that are independent of the data's label, the secrecy and the integrity of the data are still guaranteed. Furthermore, the standard noninterference theorem then follows as a simple corollary. ^ Integrating the analysis with existing languages such as Java demands a balance between usability and compatibility. The key is to isolate system libraries such as credentials and database management in the trusted computing base, allowing the analysis to focus on application code. This work presents a design of the trusted interfaces with security types and a user application based on a realistic security model. ^
Stephen Chun-to Tse,
"Dynamic security policies"
(January 1, 2007).
Dissertations available from ProQuest.