Departmental Papers (CIS)

Date of this Version

June 2004

Document Type

Conference Paper

Comments

Copyright 2004 IEEE. Reprinted from Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW 2004) pages 172-186.
Publisher URL: http://ieeexplore.ieee.org/xpl/tocresult.jsp?isNumber=29101&page=1

This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.

Abstract

Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems perform intentional release of sensitive information as part of their correct functioning and therefore violate noninterference. To control information flow while permitting intentional information release, some systems have a downgrading or declassification mechanism. A major danger of such a mechanism is that it may cause unintentional information release. This paper shows that a robustness property can be used to characterize programs in which declassification mechanisms cannot be exploited by attackers to release more information than intended. It describes a simple way to provably enforce this robustness property through a type-based compile-time program analysis. The paper also presents a generalization of robustness that supports upgrading (endorsing) data integrity.

Share

COinS
 

Date Posted: 18 November 2004

This document has been peer reviewed.