
Departmental Papers (CIS)
Date of this Version
June 2004
Document Type
Conference Paper
Recommended Citation
Andrew C. Myers, Andrei Sabelfeld, and Stephan A. Zdancewic, "Enforcing Robust Declassification", . June 2004.
Abstract
Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems perform intentional release of sensitive information as part of their correct functioning and therefore violate noninterference. To control information flow while permitting intentional information release, some systems have a downgrading or declassification mechanism. A major danger of such a mechanism is that it may cause unintentional information release. This paper shows that a robustness property can be used to characterize programs in which declassification mechanisms cannot be exploited by attackers to release more information than intended. It describes a simple way to provably enforce this robustness property through a type-based compile-time program analysis. The paper also presents a generalization of robustness that supports upgrading (endorsing) data integrity.
Date Posted: 18 November 2004
This document has been peer reviewed.
Comments
Copyright 2004 IEEE. Reprinted from Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW 2004) pages 172-186.
Publisher URL: http://ieeexplore.ieee.org/xpl/tocresult.jsp?isNumber=29101&page=1
This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.