Principles of Secure Information Flow Analysis Georey Smith School of Computing and Information - PDF document

PrinciplesofSecureInformationFlowAnalysisGeoreySmithSchoolofComputingandInformationSciences,FloridaInternationalUniversity,Miami,Florida33199,USAsmithg@cis.fiu.eduIntoday'sworldoftheInternet,theWorld-WideWeb,andGoogle,informa-tionismoreaccessiblethaneverbefore.Anunfortunatecorollaryisthatitisharderthanevertoprotecttheprivacyofsensitiveinformation.Inthispaper,weexploreatechniquecalledsecureinformation\rowanalysis.Supposethatsomesensitiveinformationisstoredonacomputersystem.Howcanwepreventitfrombeingleakedimproperly?Probablytherstap-proachthatcomestomindistolimitaccesstotheinformation,eitherbyusingsomeaccesscontrolmechanism,orelsebyusingencryption.Theseareimportantandusefulapproaches,ofcourse,buttheyhaveafundamentallimitation|theycanpreventinformationfrombeingreleased,buttheycan-notpreventitfrombeingpropagated.Ifaprogramlegitimatelyneedsaccesstoapieceofinformation,howcanwebesurethatitwillnotsomehowleaktheinformationimproperly?Simplytrustingtheprogramisdangerous.Wemighttrytomonitoritsoutput,buttheprogramcouldeasilydisguisetheinformation.Furthermore,after-the-factdetectionisoftentoolate.Considerforexampleascenarioinvolvinge-lingoftaxes.Imightdown-loadataxpreparationprogramfromsomevendortomyhomecomputer.Icouldusetheprogramtopreparemytaxreturn,enteringmyprivatenancialinformation.TheprogrammightthensendmytaxreturntotheIRSelectron-ically,encryptingitrsttoprotectitscondentiality.ButtheprogrammightalsosendbillinginformationbacktothevendorsothatIcouldbechargedfortheuseoftheprogram.HowcanIbesurethatthisbillinginformationdoesnotcovertlyincludemyprivatenancialinformation?Theapproachofsecureinformation\rowanalysisinvolvesperformingastaticanalysisoftheprogramwiththegoalofprovingthatitwillnotleaksensitiveinformation.Iftheprogrampassestheanalysis,thenitcanbeexe-cutedsafely.Thisideahasalonghistory,goingbacktothepioneeringworkoftheDenningsinthe1970s[9].Ithassincebeenheavilystudied,ascanbeseenfromthesurveybySabelfeldandMyers[22],whichcitesabout150papers.Ourgoalhereisnottoduplicatethatsurvey,butinsteadtoexplainthe 2GeoreySmithprinciplesunderlyingsecureinformation\rowanalysisandtodiscusssomechallengesthathavesofarpreventedsecureinformation\rowanalysisfrombeingemployedmuchinpractice.1BasicPrinciplesThestartingpointinsecureinformation\rowanalysisistheclassicationofprogramvariablesintodierentsecuritylevels.ThemostbasicdistinctionistoclassifysomevariablesasL,meaninglowsecurity,publicinformation;andothervariablesasH,meaninghighsecurity,privateinformation.ThesecuritygoalistopreventinformationinHvariablesfrombeingleakedimproperly.Suchleakscouldtakeavarietyofforms,ofcourse,butcertainlyweneedtopreventinformationinHvariablesfrom\rowingtoLvariables.Moregenerally,wemightwantalatticeofsecuritylevels,andwewouldwishtoensurethatinformation\rowsonlyupwardsinthelattice[8].Forexample,ifLH,thenwewouldallow\rowsfromLtoL,fromHtoH,andfromLtoH,butwewoulddisallow\rowsfromHtoL.Anotherinterestingcaseinvolvesintegrityratherthancondentiality.Ifweviewsomevariablesascontainingpossiblytaintedinformation,thenwemaywishtopreventinformationfromsuchvariablesfrom\rowingintountaintedvariables,asinOrbk[19].WecanmodelthisusingalatticewithUntaintedTainted.ThisideaisalsothebasisofrecentworkbyNewsomeandSong[18]thatattemptstodetectwormsviaadynamictaintanalysis.LetusconsidersomeexamplesfromDenning[9],assumingthatsecret:Handleak:L.Clearlyillegalisanexplicit\row:leak=secret;Ontheotherhand,thefollowingshouldbelegal:secret=leak;asshouldleak=76318;Alsodangerousisanimplicit\row:if((secret%2)==0)leak=0;elseleak=1;Thiscopiesthelastbitofsecrettoleak.Arrayscanleadtosubtleinformationleaks.Ifarrayaisinitiallyall0,thentheprogram PrinciplesofSecureInformationFlowAnalysis3a[secret]=1;for(inti=0;ia.length;i++){if(a[i]==1)leak=i;}leakssecret.HowcanweformalizetheideathatprogramcdoesnotleakinformationfromHvariablestoLvariables?InVolpano,Smith,andIrvine[32],thedesiredsecuritypropertyisformulatedasfollows:Denition1(Noninterference).Programcsatisesnoninterferenceif,foranymemoriesandthatagreeonLvariables,thememoriesproducedbyrunningconandonalsoagreeonLvariables(providedthatbothrunsterminatesuccessfully).Thename\noninterference"waschosenbecauseofitssimilaritytoapropertyproposedearlierbyGoguenandMeseguer[10].Theideabehindnoninterfer-enceisthatsomeoneobservingthenalvaluesofLvariablescannotconcludeanythingabouttheinitialvaluesofHvariables.Noticethatthenoninterferencepropertydenedaboveisapplicableonlytodeterministicprograms.Inlatersections,wewillconsidernoninterferencepropertiesthatareappropriatefornondeterministicprograms.Ofcourse,leakingHinformationintoLvariablesisnottheonlywaythatHinformationmightbeleaked.Considerwhile(secret!=0);Thisprogramloopsisecretisnonzero.Soanattackerwhocanobserveter-mination/nonterminationcandeducesomeinformationaboutsecret.Sim-ilarly,therunningtimeofaprogrammaydependonHinformation.Suchtimingleaksareveryhardtoprevent,becausetheycanexploitlow-levelim-plementationdetails.Considerthefollowingexample,adaptedfromAgat[1].inti,count,xs[4096],ys[4096];for(count=0;count100000;count++){if(secret!=0)for(i=0;i4096;i+=2)xs[i]++;elsefor(i=0;i4096;i+=2)ys[i]++;for(i=0;i4096;i+=2)xs[i]++;} 4GeoreySmithAtanabstractlevel,theamountofworkdonebythisprogramdoesnotseemtodependonthevalueofsecret.But,whenrunonalocalSparcserverwitha16Kdatacache,ittakestwiceaslongwhensecretis0asittakeswhensecretisnonzero.(Whensecretisnonzero,thearrayxscanremaininthedatacachethroughouttheprogram'sexecution;whensecretis0,thedatacacheholdsxsandysalternately.)Becauseoutsideobservationsoftherunningprogrammakeitsohardtopreventinformationleaks,mostworkonsecureinformation\rowaddressesonlyleaksofinformationfromHvariablestoLvariables,ascapturedbythenoninterferenceproperty.Focusingonnoninterferencecanalsobejustiedbynotingthatwhenwerunaprogramonourowncomputer(asinthee-taxexampleabove)wemaybeabletopreventoutsideobservationsofitsexecution.2TypingPrinciplesInthissection,wedescribehowtypesystemscanbeusedtoensurenoninter-ferenceproperties.Forsimplicity,weassumethattheonlysecuritylevelsareHandL.Webeginbyconsideringaverysimpleimperativelanguagewiththefollowingsyntax:(phrases)p::=ejc(expressions)e::=xjnje1+e2j:::(commands)c::=x:=ejskipjifethenc1elsec2jwhileedocjc1;c2Heremetavariablexrangesoveridentiersandnoverintegerliterals.Integersaretheonlyvalues;weuse0forfalseandnonzerofortrue.Aprogramcisexecutedunderamemory,whichmapsidentierstoval-ues.Weassumethatexpressionsaretotalandevaluatedatomically,with(e)denotingthevalueofexpressioneinmemory.ExecutionofcommandsisgivenbyastandardstructuraloperationalsemanticsasinGunter[11],showninFigure1.Theserulesdeneatransitionrelation!oncongurations.Acongurationiseitherapair(c;)orsimplyamemory.Intherstcase,cisthecommandyettobeexecuted;inthesecondcase,thecommandhaster-minated,yieldingnalmemory.Wewrite!forthere\rexive,transitiveclosureof!.GoingbacktoDenning'soriginalwork[9],wecanidentifythefollowingprinciples:First,weclassifyexpressionsbysayingthatanexpressionisHifitcon-tainsanyHvariables;otherwiseitisL. PrinciplesofSecureInformationFlowAnalysis5(update)x2dom() (x:=e;)(skip;)!(branch)(e)=0 (ifethenc1elsec2;)!(c1;)(e)=0 (ifethenc1elsec2;)!(c2;)(loop)(e)=0 (whileedoc;)!(e)=0 (whileedoc;)!(c;whileedoc;)(sequence)(c1;)!0 (c1;c2;)!(c2;0)(c1;)!(c01;0) (c1;c2;)!(c01;c2;0)Fig.1.StructuralOperationalSemanticsNextwepreventexplicit\rowsbyforbiddingaHexpressionfrombeingassignedtoaLvariable.Finally,wepreventimplicit\rowsbyforbiddingaguardedcommandwithaHguardfromassigningtoLvariables.Wecanexpresstheseclassicationsandrestrictionsusingatypesystem.Thesecuritytypesthatweneedareasfollows:(datatypes)::=LjH(phrasetypes)::=jvarjcmdTheintuitionisthatanexpressioneoftypecontainsonlyvariablesoflevelorlower,andacommandcoftypecmdassignsonlytovariablesoflevelorhigher.Next,weneedanidentiertypingthatmapseachvariabletoatypeoftheformvar,givingitssecuritylevel.Atypingjudgmenthastheform`p:,whichcanbereadas\fromidentiertyping,itfollowsthatphrasephastype".Inaddition,itisconvenienttohavesubtypingjudgmentsoftheform12.Forinstance,wewouldwantHcmdLcmd,becauseifacommandassignsonlytovariablesoflevelHorhigherthen,afortiori,itassignsonlytovariablesoflevelLorhigher.ThetypingrulesareshowninFigures2and3;theyrstappearedinVolpano,Smith,andIrvine[32].Programsthatarewelltypedunderthistypesystemareguaranteedtosatisfynoninterference.First,thefollowingtwolemmasshowthatthetype 6GeoreySmith(r-val)(x)=var `x:(int)`n:L(plus)`e1:;`e2: `e1+e2:(assign)(x)=var;`e: `x:=e:cmd(skip)`skip:Hcmd(if)`e:`c1:cmd`c2:cmd `ifethenc1elsec2:cmd(while)`e:`c:cmd `whileedoc:cmd(compose)`c1:cmd`c2:cmd `c1;c2:cmdFig.2.Typingrules(base)LH(cmd)0 cmd0cmd(reflex)(trans)12;23 13(subsump)`p:1;12 `p:2Fig.3.Subtypingrulessystemenforcestheintendedmeaningsofexpressiontypesandcommandtypes:Lemma1(SimpleSecurity).If`e:,thenecontainsonlyvariablesoflevelorlower.Lemma2(Connement).If`c:cmd,thencassignsonlytovariablesoflevelorhigher. PrinciplesofSecureInformationFlowAnalysis7Next,wesaythatmemoriesandareL-equivalent,writtenL,ifandagreeonthevaluesofLvariables.Nowwecanshownoninterference:Theorem1(Noninterference).IfciswelltypedandLandcrunssuccessfullyunderbothand,producingnalmemories0and0,respec-tively,then0L0.Proof.Theproofisbyinductiononthelengthoftheexecution(c;)!0.Wedescribetwointerestingcases:Supposecisanassignmentx:=e.IfxisH,then0L0trivially.AndifxisL,thenthetypesystemrequiresthate:L,whichmeansthatbySimpleSecurity,econtainsonlyLvariables.Hence(e)=(e),whichmeansthat0L0.Supposeciswhileedoc0.IfeisL,thenbySimpleSecurity(e)=(e),whichmeansthattheexecutionsfrom(whileedoc0;)andfrom(whileedoc0;)begininthesameway;theygoeithertoandto(if(e)=(e)=0)orto(c0;whileedoc0;)andto(c0;whileedoc0;)(otherwise).Intheformercasewearedoneimmediately,andinthelattercasetheresultfollowsbyinduction.If,instead,eisH,thenthetypesystemrequiresthatc0hastypeHcmd.So,byConnement,c0assignsonlytoHvariables.ItfollowsthatL0andL0,whichimpliesthat0L0.Theremainingcasesaresimilar.utOfcoursethelanguagethatwehaveconsideredsofarisverysmall.Inthenextsubsections,weconsideranumberofextensionstoit.2.1ConcurrencySupposethatweextendourlanguagewithmultiplethreads,underasharedmemory.Thisintroducesnondeterminism,whichmakesthenoninterferencepropertyinDenition1inappropriate|nowrunningaprogramtwiceunderthesamememorycanproducetwomemoriesthatdisagreeonthevaluesofLvariables.Asastartingpoint,wemightgeneralizetoapossibilisticnoninterferencepropertythatsaysthatchangingtheinitialvaluesofHvariablescannotchangethesetofpossiblenalvaluesofLvariables:Denition2(PossibilisticNoninterference).Programcsatisespossi-bilisticnoninterferenceif,foranymemoriesandthatagreeonLvariables,ifrunningconcanproducenalmemory0,thenrunningconcanpro-duceanalmemory0suchthat0and0agreeonLvariables.DothetypingrulesinFigures2and3sucetoensurepossibilisticnon-interference?Theydonot,asisshownbytheexampleinFigure4,whichisfromSmithandVolpano[28].Theinitialvaluesofallvariablesare0,except 8GeoreySmithThread:while(mask!=0){while(trigger0==0);leak=leak|mask;//bitwise'or'trigger0=0;maintrigger=maintrigger+1;if(maintrigger==1)trigger1=1;}Thread:while(mask!=0){while(trigger1==0);leak=leak&~mask;//bitwise'and'withcomplementofmasktrigger1=0;maintrigger=maintrigger+1;if(maintrigger==1)trigger0=1;}Thread\r:while(mask!=0){maintrigger=0;if(secret&mask==0)trigger0=1;elsetrigger1=1;while(maintrigger!=2);mask=mask/2;}trigger0=1;trigger1=1;Fig.4.Amulti-threadedprogramthatleakssecretmask,whosevalueisapowerof2,andsecret,whosevalueisarbitrary.Itcanbeseenthat,underanyfairscheduler,thisprogramalwayscopiessecrettoleak.Yetallthreethreadsarewelltypedprovidedthatsecret,trigger0,andtrigger1areH,andleak,maintrigger,andmaskareL.Soweneedtoimposeadditionalrestrictionsonmulti-threadedprograms.Beforeconsideringsuchrestrictions,however,wemustrstaddressthespec-icationofthethreadschedulermorecarefully.Possibilisticnoninterferenceissucientonlyifweassumeapurelynondeterministicscheduler,whichateachstepcanchooseanythreadtorunforthenextstep.Underthismodel, PrinciplesofSecureInformationFlowAnalysis9thereisnolikelihoodassociatedwiththememoriesthatcanresultfromrun-ningaprogram|eachnalmemoryissimplypossibleorimpossible.Butarealschedulerwouldinevitablybemorepredictable.Forexample,asched-ulermight\ripcoinsateachsteptochoosewhichthreadtorunnext.Undersuchaprobabilisticscheduler,possibilisticnoninterferenceisinsucient.Con-siderthefollowingexamplefromMcLean[14].Lettheprogramconsistoftwothreads:leak=secret;andleak=random(100);Assumethatrandom(100)returnsarandomnumberbetween1and100andthatthevalueofsecretisbetween1and100.Thisprogramsatisespos-sibilisticnoninterference,becausethenalvalueofleakcanbeanynumberbetween1and100,regardlessofthevalueofsecret.But,underaprob-abilisticschedulerthat\ripsacointodecidewhichthreadtoexecuterst,thevalueofleakwillbethevalueofsecretwithprobability101/200,andeachothernumberbetween1and100withprobability1/200.Thisexamplemotivatesastrongersecurityproperty,probabilisticnoninterference,whichsaysthatchangingtheinitialvaluesofHvariablescannotaectthejointprobabilitydistributiononthenalvaluesofLvariables.FurtherdiscussionofpossibilisticandprobabilisticsecuritypropertiescanbefoundinMcLean[15].Wenowdescribeatypesystemforensuringprobabilisticnoninterferenceinmulti-threadedprograms.Therstsuchsystems(SmithandVolpano[28,31]andSabelfeldandSands[23])adoptedthesevererestrictionthatguardsofwhile-loopsmustbeL.ThisrulesouttheprograminFigure4(trigger0andtrigger1areH),butitalsomakesithardtowriteusefulprograms.Later,inspiredbyHonda,Vasconcelos,andYoshida[12],abettertypesystemwaspresentedbySmith[26,27].(Remarkably,almostthesamesystemwasdevelopedindependentlybyBoudolandCastellani[5].)Thistypesystemallowswhile-loopguardstocontainHvariables,buttopreventtiming\rowsitdemandsthatacommandwhoserunningtimedependsonHvariablescannotbefollowedsequentiallybyanassignmenttoaLvariable.TheintuitionisthatsuchanassignmenttoaLvariableisdangerousinamulti-threadedsetting,becauseifanotherthreadassignstothesamevariable,thenthelikelyorderinwhichtheassignmentsoccur(andhencethelikelynalvalueoftheLvariable)dependsonHinformation.Thetypesystemusesthefollowingsetoftypes:(datatypes)::=LjH(phrasetypes)::=jvarj1cmd2jcmdnThenewcommandtypeshavethefollowingintuition: 10GeoreySmithAcommandcisclassiedas1cmd2ifitassignsonlytovariablesoftype1(orhigher)anditsrunningtimedependsonlyonvariablesoftype2(orlower).Acommandcisclassiedascmdnifitassignsonlytovariablesoftype(orhigher)anditisguaranteedtoterminateinexactlynsteps.ThenewtypingandsubtypingrulesarepresentedinFigures5and6.Theserulesmakeuseofthelatticejoinandmeetoperations,denoted_and^,respectively.Also,weextendthelanguagewithanewcommand,protectc,whichrunscommandcatomically.Thisishelpfulinmaskingtimingvaria-tions.Thekeyideabehindthesoundnessofthistypesystemisthatifawell-typedthreadcisrunundertwoL-equivalentmemories,theninbothrunsitmakesexactlythesameassignmentstoLvariables,atthesametimes.Giventhisproperty,weareabletoshowthatwell-typedmulti-threadedprogramssatisfyprobabilisticnoninterference.Theproofinvolvesestablishingaweakprobabilisticbisimulation;thedetailsareinSmith[27].2.2ExceptionsAnotherlanguagefeaturethatcancausesubtleinformation\rowsisexcep-tions.Forexample,hereisaJavaprogramthatusesexceptionsfromout-of-boundsarrayindicestoleakasecret:intsecret;intleak=0;int[]a=newint[1];for(intbit=0;bit30;bit++){try{a[1-(secret&#x-522;&#x.859;&#x-522;&#x.859;bit)%2]=0;leak|=(1bit);}catch(ArrayIndexOutOfBoundsExceptione){}}Inthiscode,bitisL.Herethekeyisthatarrayahaslength1,sotheassignmenta[1-(secret&#x-510;&#x.829;&#x-510;&#x.829;bit)%2]=0;raisesanexceptionithecurrentbitofsecretis0.Asaresult,theassignmentleak|=(1bit);isexecutedithecurrentbitofsecretis1.Howshouldleaksduetoexceptionsbeprevented?Onepossibilityistouseanapproachsimilartowhatwasusedforconcurrency:wecanrequirethat PrinciplesofSecureInformationFlowAnalysis11(r-val)(x)=var `x:(int)`n:L(plus)`e1:;`e2: `e1+e2:(assign)(x)=var;`e: `x:=e:cmd1(skip)`skip:Hcmd1(if)`e:`c1:cmdn`c2:cmdn `ifethenc1elsec2:cmdn+1`e:112`c1:2cmd3`c2:2cmd3 `ifethenc1elsec2:2cmd1_3(while)`e:11232`c:2cmd3 `whileedoc:2cmd1_3(compose)`c1:cmdm`c2:cmdn `c1;c2:cmdm+n`c1:1cmd223`c2:3cmd4 `c1;c2:1^3cmd2_4(protect)`c:1cmd2ccontainsnowhileloops `protectc:1cmd1Fig.5.Typingrulesformulti-threadedprograms 12GeoreySmith(base)LH(cmd)011;202 1cmd201cmd020 cmdn0cmdncmdncmdL(reflex)(trans)12;23 13(subsump)`p:1;12 `p:2Fig.6.Subtypingrulesformulti-threadedprogramsacommandthatmightraiseexceptionsbasedonthevaluesofHvariablesmustnotbefollowedsequentiallybyanassignmenttoLvariables.ThisistheapproachtakenbyJif[16].Becausethiswouldseemtobequiterestrictiveinpractice,DengandSmith[6]proposeadierentapproach.Ifwechangethelanguagesemanticssothatarrayoperationsneverraiseexceptions,thenwecantypethemmuchmorepermissively.Theideaistotreatcommandswithout-of-boundsarrayindicesasno-opsthataresimplyskipped.Underthisapproach,wegiveanarraytype1arr2toindicatethatitscontentshavelevel1anditslengthhaslevel2.Then,forexample,wecanusethefollowingstraightforwardandpermissivetypingruleforarrayassignment:(x)=1arr2;`e1:1;`e2:1 `x[e1]:=e2:1cmdThefulltypesystemisgivenin[6].Incontrast,butwiththesameintent,FlowCaml[25]speciesthatanout-of-boundsarrayindexcausestheprogramtoabort.Thisalsopreventsout-of-boundsexceptionsfrombeingobservedinternally,allowingmorepermissivetypingrules.2.3OtherLanguageFeaturesSecureinformation\rowanalysiscantreatlargerlanguagesthanwehavecon-sideredhere.NotableistheworkofMyers[16]andBanerjeeandNaumann[3],whichtreatsobject-orientedlanguages,andthatofPottierandSimonet[20]whichtreatsafunctionallanguage.Anotherusefultechnologyinthiscontextistypeinference,whichfreestheprogrammerfromhavingtospecifythesecuritylevelsofallthevariablesinthe PrinciplesofSecureInformationFlowAnalysis13program.Heorshecanspecifythelevelsofjustthevariablesofinterest,andhaveappropriatesecuritylevelsofallothervariablesbeinferredautomatically.Interestingly,thedesiretodotypeinferenceisonereasonforassumingthatthesetofsecuritylevelsformsalattice,becausetypeinferenceisNP-completeoveranarbitrarypartialorder.ThisfollowsfromaresultofPrattandTiuryn[21].Theyshowthatoverthe\2-crown"givenby ABCDtheproblemoftestingthesatisabilityofasetofinequalitiesbetweenvari-ables(x,y,z,...)andconstants(A,B,C,D)isNP-complete.WecaneasilyreducethesatisabilityproblemtotheinferenceproblembymappingasetofinequalitiesCtoaprogrampsuchthatCissatisableisomechoiceofsecuritylevelsfortheinferablevariablesofpmakespwelltyped.Forexample,wemapfxA;By;xygtotheprograma:=x;y:=b;y:=xwhereaandbarevariablesoflevelsAandB,respectively,andxandyarevariableswhoselevelsaretobeinferred.Incontrast,typeinferencecanbedoneecientlyoveralattice.Workontypeinferenceforsecureinformation\rowincludesVolpanoandSmith[30],PottierandSimonet[20],Sun,Banerjee,andNaumann[29],andDengandSmith[7].3ChallengesInspiteofagreatdealofresearch,secureinformation\rowanalysishashadlittlepracticalimpactsofar.(See,forexample,Zdancewic'sdiscussion[33].)Inthissectionwediscusssomechallengesthatneedtobeovercometomakesecureinformation\rowanalysismoreusefulinpractice.Oneobviousconcernisthatmuchoftheworkintheresearchliteraturehasbeentheoretical,treating\toy"languagesratherthanfullproductionlan-guages.Whilethishassurelyhinderedadoptionofthistechnologysomewhat,infacttherearetwomatureimplementationsofrichlanguageswithsecurein-formation\rowanalysis,namelyJif[17]andFlowCaml[25].Thisfactsuggeststhattheproblemslargelylieelsewhere. 14GeoreySmithInexploringthisissuefurther,itseemshelpfultodistinguishbetweentwodierentapplicationscenarios:developingsecuresoftwareandstoppingmalicioussoftware.Weconsidertheseinturn.3.1Scenario1:DevelopingSecureSoftwareInthisscenario,theideaistousesecureinformation\rowanalysistohelpinthedevelopmentofsoftwarethatsatisessomesecuritygoals.Heretheanal-ysisservesasaprogramdevelopmenttool.Wecouldimaginesuchatoolbeingusedinteractivelytohelptheprogrammertoeliminateimproperinformationleaks.Here,theanalysiscouldbecarriedoutonsourcecode.Thestaticanalysistoolwouldalerttheprogrammertopotentialleaks.Theprogrammercouldrespondtosuchalertsbyrewritingthecodeasnec-essary.Wealsomightallowtheprogrammertoinsertexplicitdeclassicationstatements(ineect,typecasts)todealwithsituationswheretheanalysisisoverlyrestrictive.(SuchdeclassicationstatementsareallowedinJif,forexample.)Allowingdeclassicationstatementsisrisky,ofcourse,butitmightbereasonableinsituationswherewecantrustthattheprogrammerisnotmaliciousorincompetent.AnexampleofthisscenariocanbefoundinAskarovandSablefeld[2]whichdiscussestheimplementationofa\mentalpoker"protocolinJif.Theprogramisabout4500lineslong,anditusesanumberofdeclassicationstatements,forexampletomodeltheintuitionthatencryptingHinformationmakesitL.3.2Scenario2:StoppingMaliciousSoftwareInthisscenario,theideaistousesecureinformation\rowanalysisasakindofltertostopmalicioussoftware(\malware").Wemightimagineanalyzingapieceofuntrusteddownloadedcodebeforeexecutingit,withthegoalofguaranteeingitssafety.ThisscenarioisclearlymuchmorechallengingthanScenario1.Firstofall,weprobablywouldnothaveaccesstothesourcecode,requiringustoanalyzebinaries.Analyzingbinariesismoredicultthananalyzingsourcecodeandhasnotreceivedmuchattentionintheliterature,asidefromsomerecentworkonanalyzingJavabytecodes,suchasBartheandRezk[4].Afurtherchallengehereisthattheanalysiswouldneedtobefullyauto-matic,withoutthepossibilityofinteractionwiththeprogrammer.Moreover,declassicationstatementscertainlycannotbeblindlyacceptedinthissce-nario.Ifwedoallowdeclassicationstatements,thenitbecomesunclearwhat(ifany)securitypropertiesareguaranteed.3.3FlowPoliciesInbothscenarioswehaveakeyquestion:whatinformation\rowpoliciesdowewant?Aswehavediscussedabove,secureinformation\rowanalysishas PrinciplesofSecureInformationFlowAnalysis15focusedonenforcingnoninterference.Butnoninterferencerequiresabsolutelyno\rowofinformation.Asitturnsout,thisdoesnotseemtobequitewhatwewantinpractice.Arstconcernisthat\small"informationleaksareacceptableinprac-tice.Forinstance,apasswordcheckercertainlymustnotleakthecorrectpassword,butitmustallowausertoenterapurportedpassword,whichitwilleitheracceptorreject.And,ofcourse,rejectingapasswordleakssomeinformationaboutthecorrectpassword,byeliminatingonepossibility.Simi-larly,encryptingsomeHinformationwouldseemtomakeitL,butthereisa\rowofinformationfromtheplaintexttotheciphertext,sincetheciphertextdependsontheplaintext.Asanotherexample,considercensusdata.Individualcensusdataisex-pectedtobeprivate(H)butaggregatecensusdataneedstobepublic(L),sinceotherwisethecensusdataisuseless.But,ofcourse,aggregatedatade-pendsonindividualdata,contrarytowhatnoninterferencedemands.Flowpoliciessometimesinvolveatemporalaspectaswell.Forexample,wemightwanttoreleasesomesecretinformationafterreceivingapaymentforit.Theseexamplessuggestthat,inmanypracticalsituations,enforcingnon-interferenceonastaticlatticeofsecuritylevelsistooheavy-handed.Atthesametime,itseemsdiculttoallow\small"informationleakswithoutal-lowingamaliciousprogramtoexploitsuchloopholestoleaktoomuch.Amajorchallengeforsecureinformation\rowanalysis,then,istode-velopagoodformalismforspecifyingusefulinformation\rowpoliciesthataremore\rexiblethannoninterference.Theformalismmustbegeneralenoughforawidevarietyofapplications,butnottoocomplicatedforuserstounder-stand.Inaddition,wemustndenforcementmechanismsthatcanprovablyensurethatthe\rowpolicyissatised.Suchricherinformation\rowpoliciesandtheirenforcementarethesubjectofmuchcurrentresearch.Oneinter-estingapproachisLiandZdancewic[13],whichusesdowngradingpoliciesassecuritylevels,sothatthesecuritylevelspecieswhatmustbedoneto\sanitize"apieceofinformation.Morebroadly,thesurveybySabelfeldandSands[24]givesausefulframeworkforthinkingaboutrecentapproachestodeclassication.4ConclusionSecureinformation\rowanalysishasthepotentialtoguaranteestrongsecuritypropertiesincomputersoftware.Butifitistobecomebroadlyuseful,itmustbetteraddressthesecuritypropertiesthatareimportantinpractice.ThisworkwaspartiallysupportedbytheNationalScienceFoundationundergrantsCCR-9900951andHRD-0317692. 16GeoreySmithReferences1.JohanAgat.TypeBasedTechniquesforCovertChannelEliminationandReg-isterAllocation.PhDthesis,ChalmersUniversityofTechnology,Goteborg,Sweden,December2000.2.AslanAskarovandAndreiSabelfeld.Security-typedlanguagesforimplemen-tationofcryptographicprotocols:Acasestudy.InProceedingsofthe10thEu-ropeanSymposiumonResearchinComputerSecurity(ESORICS2005),pages197{221,September2005.3.AnindyaBanerjeeandDavidA.Naumann.Secureinformation\rowandpointerconnementinaJava-likelanguage.InProceedings15thIEEEComputerSecu-rityFoundationsWorkshop,pages253{267,CapeBreton,NovaScotia,Canada,June2002.4.GillesBartheandTamaraRezk.Non-interferenceforaJVM-likelanguage.InProceedingsofTLDI'05:2005ACMSIGPLANInternationalWorkshoponTypesinLanguageDesignandImplementation,pages103{112,January2005.5.GerardBoudolandIlariaCastellani.Noninterferenceforconcurrentprogramsandthreadsystems.TheoreticalComputerScience,281(1):109{130,June2002.6.ZhenyueDengandGeoreySmith.Lenientarrayoperationsforpracticalsecureinformation\row.InProceedings17thIEEEComputerSecurityFoundationsWorkshop,pages115{124,PacicGrove,California,June2004.7.ZhenyueDengandGeoreySmith.Typeinferenceandinformativeerrorre-portingforsecureinformation\row.InProceedingsACMSE2006:44thACMSoutheastConference,pages543{548,Melbourne,Florida,March2006.8.DorothyDenning.Alatticemodelofsecureinformation\row.CommunicationsoftheACM,19(5):236{242,1976.9.DorothyDenningandPeterDenning.Certicationofprogramsforsecurein-formation\row.CommunicationsoftheACM,20(7):504{513,1977.10.JosephGoguenandJoseMeseguer.Securitypoliciesandsecuritymodels.InProceedings1982IEEESymposiumonSecurityandPrivacy,pages11{20,Oak-land,CA,1982.11.CarlA.Gunter.SemanticsofProgrammingLanguages.TheMITPress,1992.12.KoheiHonda,VascoVasconcelos,andNobukoYoshida.Secureinformation\rowastypedprocessbehaviour.InProceedings9thEuropeanSymposiumonProgramming,volume1782ofLectureNotesinComputerScience,pages180{199,April2000.13.PengLiandSteveZdancewic.Downgradingpoliciesandrelaxednoninterfer-ence.InProceedings32ndSymposiumonPrinciplesofProgrammingLanguages,pages158{170,January2005.14.JohnMcLean.Securitymodelsandinformation\row.InProceedings1990IEEESymposiumonSecurityandPrivacy,pages180{187,Oakland,CA,1990.15.JohnMcLean.Securitymodels.InJohnMarciniak,editor,EncyclopediaofSoftwareEngineering.WileyPress,1994.16.AndrewMyers.JFlow:Practicalmostly-staticinformation\rowcontrol.InProceedings26thSymposiumonPrinciplesofProgrammingLanguages,pages228{241,SanAntonio,TX,January1999.17.AndrewC.Myers,StephenChong,NathanielNystrom,LantianZheng,andSteveZdancewic.Jif:Java+information\row.CornellUniversity,2004.Avail-ableathttp://www.cs.cornell.edu/jif/. PrinciplesofSecureInformationFlowAnalysis1718.JamesNewsomeandDawnSong.Dynamictaintanalysisforautomaticdetec-tion,analysis,andsignaturegenerationofexploitsoncommoditysoftware.InProceedingsofthe12thAnnualNetworkandDistributedSystemSecuritySym-posium(NDSS05),February2005.19.Peterrbk.CanYouTrustYourData?InProceedings1995TheoryandPracticeofSoftwareDevelopmentConference,pages575{589,Aarhus,Denmark,May1995.LectureNotesinComputerScience915.20.FrancoisPottierandVincentSimonet.Information\rowinferenceforML.ACMTransactionsonProgrammingLanguagesandSystems,25(1):117{158,January2003.21.VaughanPrattandJerzyTiuryn.Satisabilityofinequalitiesinaposet.Fun-damentaInformaticae,28(1{2):165{182,1996.22.AndreiSabelfeldandAndrewC.Myers.Language-basedinformation\rowsecu-rity.IEEEJournalonSelectedAreasinCommunications,21(1):5{19,January2003.23.AndreiSabelfeldandDavidSands.Probabilisticnoninterferenceformulti-threadedprograms.InProceedings13thIEEEComputerSecurityFoundationsWorkshop,pages200{214,Cambridge,UK,July2000.24.AndreiSabelfeldandDavidSands.Dimensionsandprinciplesofdeclassication.InProceedings18thIEEEComputerSecurityFoundationsWorkshop,June2005.25.VincentSimonet.TheFlowCamlSystem:Documentationanduser'sman-ual.InstitutNationaldeRechercheenInformatiqueetenAutomatique,July2003.Availableathttp://cristal.inria.fr/~simonet/soft/flowcaml/manual/index.html.26.GeoreySmith.Anewtypesystemforsecureinformation\row.InProceed-ings14thIEEEComputerSecurityFoundationsWorkshop,pages115{125,CapeBreton,NovaScotia,Canada,June2001.27.GeoreySmith.Probabilisticnoninterferencethroughweakprobabilisticbisim-ulation.InProceedings16thIEEEComputerSecurityFoundationsWorkshop,pages3{13,PacicGrove,California,June2003.28.GeoreySmithandDennisVolpano.Secureinformation\rowinamulti-threadedimperativelanguage.InProceedings25thSymposiumonPrinciplesofProgram-mingLanguages,pages355{364,SanDiego,CA,January1998.29.QiSun,AnindyaBanerjee,andDavidA.Naumann.Modularandconstraint-basedinformation\rowinferenceforanobject-orientedlanguage.InProc.EleventhInternationalStaticAnalysisSymposium(SAS),Verona,Italy,August2004.30.DennisVolpanoandGeoreySmith.Atype-basedapproachtoprogramsecu-rity.InProc.TheoryandPracticeofSoftwareDevelopment,volume1214ofLectureNotesinComputerScience,pages607{621,April1997.31.DennisVolpanoandGeoreySmith.Probabilisticnoninterferenceinaconcur-rentlanguage.JournalofComputerSecurity,7(2,3):231{253,1999.32.DennisVolpano,GeoreySmith,andCynthiaIrvine.Asoundtypesystemforsecure\rowanalysis.JournalofComputerSecurity,4(2,3):167{187,1996.33.SteveZdancewic.Challengesforinformation-\rowsecurity.InProceedingsofthe1stInternationalWorkshoponProgrammingLanguageInterferenceandDepen-dence(PLID'04),2004.