bepreparedtogivehercreditcarddetailstoamerchanttomakeapurchase,solonga - PDF document

bepreparedtogivehercreditcarddetailstoamerchanttomakeapurchase,solongasthemerchanterasesthosedetailsafterward.Medicalinformationsystems.Healthcareprovidersholdsensitivepatientinformation,includingdemo-graphicandmedicaldata.Inmanycountries,legisla-tioncontrolsunderwhatconditionspatientinforma-tionmaybereleased,andtowhom.Astheseexamplessuggest,thereasonsforerasingordeclassifyinginformationarediverse,oftencomplex,yetcrucialtosecurity.Wethereforeproposeasecuritypolicyframeworkthatallowsthespecicationofbotherasureanddeclassicationpolicies,andsupportsapplication-specicreasoningabouttheerasureanddeclassicationofinforma-tion.Inthisframework,erasurepoliciesspecifywhatpolicyshouldinitiallybeenforcedoninformation,theconditionsunderwhichtheinformationmustbeerased,and(sincein-formationmaybeallowedtoexistinasystemaftererasureinarestrictedform)whatpolicymustbeenforcedoninfor-mationtoallowittosurviveerasure.Declassicationpoli-cies,rstpresentedin[7],specifywhatpolicyshouldini-tiallybeenforcedontheinformation,theconditionsunderwhichtheinformationmaybedeclassied,andthepolicythatshouldbeenforcedontheinformationafterdeclassi-cation.Itisimportanttonotethaterasureanddeclassicationpoliciesgoverntheuseofinformationratherthanofthelo-cationswhereinformationisstored.Inparticular,ifapieceofdatahasanerasurepolicy,itmeansthatnotonlyshouldthedataitselfbeerasedunderthespeciedconditions,butalsoanyinformationderivedfromitshouldbeerased.Thus,erasurepoliciesdescribestrong,end-to-endrestrictionsonhowinformationmaybeused.Informationerasureandde-classicationcanbeseenasopposites:Astimeprogresses,declassicationpermitsmoreinformationowsinasys-tem;bycontrast,erasurepermitsfewerinformationowsastimemovesforward.Muchrecentwork(e.g.,[28,38,31,21,7,29,35,24,14])hasfocusedonsecuritypropertiesthatgeneralizenon-interferencetopermitreasoningaboutdeclassication;asthispapershows,manyofthesesecuritypropertieshaveparallelsinvolvinginformationerasure.Weshowthatsomeofthesepropertiesarepossessedbysystemsthatenforceourframework'spolicies.Inourpolicyframework,erasureanddeclassicationarecontrolledbycertainconditionsunderwhicherasureanddeclassicationarerespectivelyrequiredandpermitted.Theseconditionsareinevitablyapplication-specic,sotheframeworkdoesnotspecifythelogicforexpressingtheseconditions,preservinggenerality.Theframeworkisgeneralinanothersense;althoughthepoliciesareintendedtobeusedforprogramannotationandanalysis,theactualformoftheprogramminglanguageisnotspecied.Thispaperdoesnotfocusonhowtoconstructsys-temsthatenforceourframework'spolicies;thattopicislefttofuturework.However,weexpectthaterasureanddeclassicationpoliciescanbeenforcedthroughacombi-nationofstaticanalysis(suchasasecuritytypesystem,e.g.,[39,37,19,26,1,3,32])andrun-timemechanisms.Therestofthepaperisorganizedasfollows.Section2introducesauniedframeworkforerasureanddeclassi-cationsecuritypolicies,andpresentstwoexamplesofhowthisframeworkcanexpressreal-worldinformationerasurerequirements.Section3givesanorderingrelationthaten-ablesanalysisoflegalinformationowsinthisframework,togetherwith(andconsistentwith)adenotationalseman-ticsthatcapturesthemeaningofpolicies.Section4dis-cussesthesemanticsecurityconditionsenjoyedbysystemsthatenforceerasureanddeclassicationpolicies.Wedis-cussrelatedworkinSection5,andconcludeinSection6.Proofsofthemaintheoremsandlemmasaregiveninap-pendices.2.ErasureanddeclassicationpoliciesThissectionshowshowasinglepolicyframeworkcanincorporatebotherasureanddeclassicationpoli-cies,buildingonlattice-basedinformationowpoli-cies.Itthenpresentssomeexamplepoliciesthatcapturereal-worldinformationerasurerequirements.2.1.PoliciesWeassumethereissomeunderlyinglatticeofsecuritylevelsL[10],givingabasevocabularyforexpressingera-sureanddeclassicationpolicies.ThelatticeorderingonLiswrittenasv.Therearethreekindsofpolicies,givenbythesyntaxinFigure1. `2LLatticeelementc;dConditionsp;q::=Policies`Lattice-levelpolicypc p0Declassicationpolicypc%p0ErasurepolicyFigure1.Syntaxforpolicies Alattice-levelpolicy`isthesimplestkindofpolicy:in-formationlabeledwithsecuritypolicy`mustbeusedinac-cordancewiththesecuritylevel`2L.Theintuitionisthatitshouldonlyaffectinformationatlevel`orhigher.Anerasurepolicypc%p0requiresthatthepolicypbeen-forcedoninformation,andinadditiononceconditioncis2 Nowsupposethatweextendtheexamplesothattheconsumercanoptionallyallowthemerchanttostorethecreditcardnumber,forexample,tomaintainacus-tomerprole,andsavetheconsumerfromneedingtore-enterthecreditcardnumberforsubsequentpur-chases.Asuitablepolicyforthecreditcardnumberisnow((Mpur B)end%B)pro (Mpur B),whereproisacon-ditionthatistruewhentheconsumerhasgivenper-missionforthemerchanttomaintainacustomerpro-le.Notethatiftheconsumergivespermission,thenthemerchantmaystorethecreditcardnumberwithapol-icyMpur B,allowingthemerchanttosendthecreditcardnumbertothebankwhentheconsumermakesapur-chase;iftheconsumerdoesnotgivepermission,thenthemerchantisstillrequiredtoerasethecreditcardnum-berbytheendofthetransaction.3.SemanticsWeassumethatasystemcontainslocationsthataregov-ernedbyvariouspolicies.Asinformationowsbetweenlocations,thepolicygoverningtheinformationimplicitlychanges.Inthissection,wedenearelationoverpoliciesthatcharacterizeswhenitissecuretoowfromonepol-icytoanother.Wethengiveasemanticsforpolicies,show-ingthatthis“may-ow”relationissoundwithrespecttothesesemantics.Weshowthatthesemanticshassomein-terestingandimportantproperties.Notethatthespecica-tionofsecuritypolicies,andthedenitionofthemay-owrelation,areindependentofanyparticularmechanismforenforcingthesecuritypolicies.3.1.May-owrelationpqWenowdeneamay-owrelationpqonpoli-ciesthatdescribespermittedinformationow.Therelationisparameterizedbyatrace,becausethedeclassicationanderasureofinformationdependsuponthesatisfactionofconditions,whichinturndependsonsystemtraces.In-tuitively,ifpq,theninformationlabeledwithpolicypmaysecurelyowtoalocationlabeledwithpolicyqwhenthesystemhasproducedtrace.Forthisowtobesecure,thepolicyqmustbeatleastasrestrictiveasthepolicyp,thatis,anythingthatqpermitstobedonetoinformation,pper-mitsaswell.Theoneexceptiontothisprincipleofincreas-ingrestrictivenessisdeclassication,whosewholepurposeistomakepolicieslessrestrictive.Figure2showstheinferencerulesforthepqrela-tion.Weassumethesetoftracesisprex-closed,andwrite0ifthetrace0extendstrace,and0if0isaprexof.Wewrite0if0extendsand06=.Forconvenience,wesometimesrefertoatraceasifitwereatime;thisshouldbeunderstoodasreferringtothetimeatwhichthesystemhasproducedthetrace.Wewrite[;0)2casanabbreviationfor800:000)002c,andvalid(p;[;0))asanabbrevia-tionfor800:000)valid(p;00).Intuitively,if[;0)2c,thencisnotsatisedbyanytracethatex-tendsandisastrictprexof0;similarlyvalid(p;[;0))istrueifvalid(p;00)foreverytrace00thatextendsandisastrictprexof0.Therule(MF-LATTICE)statesthatinformationmayowfromalattice-levelpolicy`toalattice-levelpolicy`0providedthat`v`0.Sinceisnotmentionedinthepremise,suchowispermittedatanytime.Therule(MF-TRANS)makestherelationshiptransitiveonpolicies.Thedeclassicationrule(MF-DECL)permitsinforma-tiontoowfromadeclassicationpolicypc p0topolicyp0attrace,providedthattheconditionfordeclassica-tioncissatisedattrace.Thisrulecapturestheintuitivemeaningofdeclassicationpolicies:declassicationmayoccurwhentheappropriateconditionissatised.NotethatRule(MF-DECL)permitsowfrompc p0top0,andp0maypermitoperationsthatpc p0doesnot.Thedeclassicationintroductionrule(MF-DECL-I)de-scribeswhenitispermissibleforinformationtoowfromsomepolicyqtothepolicypc p0.First,itmustbepermit-tedforinformationtoowfromqtop;second,atalltimesinthefuture,iftheconditioncissatisedatthattime,thenitmustbepermittedforinformationtoowfromqtop0atthattime.Inaddition,atalltimesbetweennowandthecon-ditioncbeingsatised,thepolicyqisalwaysvalid,thatis,informationlabeledwithpolicyqdoesnotneedtobeerased.Thejudgmentvalid(p;)describesifagivenpol-icypisvalidattime.Therequirementthatqisvalidbe-tweennowandanypossibledeclassicationensuresthatin-formationowingfromqtopc p0doesnotescapeanyera-surerequirementsthatqmayhave.Thedeclassicationeliminationrule(MF-DECL-E)al-lowsinformationtoowfromadeclassicationpolicypc p0tothepolicyp.Intuitively,itisacceptableforinfor-mationtoowfrompc p0top,sincethepolicypisstrictlymorerestrictivethanthepolicypc p0,whichenforcesev-erythingthatpdoesbutalsopermitsdeclassicationtop0.Therule(MF-DECL-DECL)describeswheninforma-tionmayowfromonedeclassicationpolicypc p0toan-other,morerestrictivedeclassicationpolicyqd q0.Thein-tuitionisthatthishappensifqisatleastasrestrictiveasp,thepolicyqd q0permitsdeclassicationonlywhenpc p0does(thatis,whenevertheconditiondissatised,cissat-isedtoo),andwheneverdeclassicationispermitted,q0isatleastasrestrictiveasp0.AscanbeseenbyinspectionofFigure2,eachofthemay-owrulesforerasurepoliciescorrespondstoade-classicationrule.Forexample,erasureintroduction(MF-4 WeassumethattheunderlyinglatticeLcandescribehowobservablelocationsare,andproceedtodenetheobservationlevelofanarbitrarypolicyp,obs(p).Theobservabilityofalatticelevelpolicy`issimply`,andtheobservabilityofdeclassicationanderasurepoliciesisjusttheobservabilityoftheleftsubpolicy:obs(pc p0)=obs(pc%p0)=obs(p).Giventhisnotionofobservationlevel,wecandeneasemanticsforpoliciessuchthatthesemanticsofapolicypdescribeshowinformationinitiallylabeledpmaypropa-gate,andbecome(orceasetobecome)observableatvari-ouslatticelevels,asthesystemexecutes.Figure3givesasemanticsforapolicypandtrace,written[[p]],asasetofpairsoftracesandlatticeelements,(0;`),where0.Thesemanticscapturesallthepos-siblewaysthatinformationlabeledwithpolicypjustbe-foretracemayaffectinformationinthefuture.Morefor-mally,weexpectthatifinformationlabeledpjustbeforetracemaypropagatetoalocationlabeledqattime0,then(0;obs(q))2[[p]].3.3.ConsistencyofthesemanticsToshowthatthesemanticscapturesitsinformalmean-ingprecisely(andtoproveit),weneedsomeadditionalcon-ceptsandpropertiesthatrelatethesemantics,theobserva-tionallevel,andthemay-owrelation. [[`]]=f(0;`0)j0and`v`0g[[pc p0]]=[[p]][f(00;`)2[[p0]]0j0and0cg[[pc%p0]]=([[p]]\f(000;`)2[[p0]]0j0and[;0)2cg)[f(0;`)2[[p]]j[;0)2cgFigure3.Semanticsforpolicies[[p]] Tobeginwith,forallpoliciesp,weobservethatastimegoeson,therearefewerpossiblewaysinwhichinforma-tionlabeledwithpolicypmayaffectinformation.Inpartic-ular,foranypolicypandtracesand0,solongasinformationlabeledwithpdoesnotneedtobeerasedbe-tweenand0,then[[p]]0[[p]].Property3.2:Letpbeapolicyandand0betracessuchthat0.Ifvalid(p;[;0)),then[[p]]0[[p]].Ausefulpropertyofthesemantics,whichwillbeneededinlaterproofs,isthatforanygivenpolicypandtracesand0,thesetoflatticelevelsf`j(0;`)2[[p]]gisclosedupward.Property3.3:Forallpoliciesp,tracesand0andlatticelevels`,if(0;`)2[[p]],thenforall`0suchthat`v`0wehave(0;`0)2[[p]].Thefollowingtheoremshowsthatthemay-owrelationpqissound,inthesensethatifinformationmayowfromptoq,then[[p]][[q]],thatis,informationlabeledwithpolicypattracecanaffectatleastasmuchinthefutureasinformationlabeledwithpolicyqcan.TheproofofthetheoremisgiveninAppendixA.Theorem3.4:Forallpoliciesp;qandtraces,ifpqthen[[p]][[q]].Therelationpqtellsusthatinformationlabeledwithpolicypmayowtoalocationlabeledqattime.How-ever,ingeneral,weareinterestedinreasoningnotonlyaboutthelocationsqthatinformationlabeledpmayowtoinasinglestep,butaboutalllocationsthatinforma-tionlabeledpmaypropagateto.Weextendtherelationpqtotherelationp0q,toallowustoreasonaboutwhereinformationlabeledpmaypropagatefromthetimethesystemhasproducedthetracetothetimeithasproducedthetrace0,where0.Figure4presentstheinferencerulesforthenewrelation.Wehavep0qifthereissomesequenceoftraces1;:::;nsuchthat=1


n=0,andsomesequenceofpoliciesp0;:::;pnsuchthatp=p01p12


npn=q.Moreover,eachpiisvalidbetweeniandi+1,whichen-suresthatinformationstoredinalocationlabeledpiwillnotbeerasedbeforeitcanpropagate,attracei+1. pqvalid(q;) pq000p00p0valid(p0;[00;0))p00qvalid(q;0) p0qFigure4.Inferencerulesforp0q Thereisastrongandsimpleconnectionbetweenthere-lation0andthesemanticsofpolicies:Property3.5:Forallpoliciespandq,andtracesand0,ifp0q,then[[p]][[q]]0.Thereisalsoasimpleconnectionbetweentheobserv-abilityofapolicyandthesemanticsofthatpolicy.Property3.6:Forallpoliciespandtraces,ifvalid(p;),wehave(;obs(p))2[[p]].Wecannowstatethebasictheoremthatrelatesthepol-icysemanticstotheobservationallevel:ifinformationla-beledpattimemaypropagatetoalocationlabeledqattime0,then(0;obs(q))2[[p]].Property3.7:Forallpoliciespandqandtracesand0suchthat0,ifp0qthen(0;obs(q))2[[p]].6 owtopol(x)mayinuencethenondeterministicchoice.Forexample,ifxissettoanumberchosenrandomlybe-tween0andthevalueheldinlocationyattrace,thenitbetterbethecasethatpol(y)pol(x).Thepolicy-enforcingdenitionispossibilistic:clause(2)requiressimplytheexistenceofasuitablestates0k+1.Webelievesuitablymodiedformsofthetheoremsinthefollowingsubsectionsshouldholdforaprobabilisticdeni-tionofpolicy-enforcingsystems.Thedenitionofapolicy-enforcingsystemisastrongrequirement.Inparticular,itensuresthatnoinformationisleakedthroughtimingorterminationchannels.Timingandterminationchannelscouldbeallowedbyallowingthetran-sitionrelationtobereexiveandweakeningtherequire-mentinclause(2)that“thereexistsafeasiblestates0k+1suchthats0k!s0k+1...”tothefollowing:thereexistsa(possiblyinnite)sequenceofstatess0k;:::;s0k+n+1withs0i!s0i+1fori2k::(k+n)suchthatforalli2k::(k+n)andlocationsx,ifsk(x)=s0k(x)thensk(x)=s0i(x),andeitherthesequenceisinnite,orforalllocationsx,ifsk+1(x)6=s0k+n+1(x)thenthere9y:sk(y)6=s0k(x)andpol(y)s0:::sk+1pol(x).Foreaseofexposition,wedonotweakenthedeni-tion,andassumethatpolicy-enforcingsystemsdonotleakanyinformationthroughtimingorterminationchannels.Webelievethatsuitablyweakenedformsofthetheoremsinthefollowingsubsectionsholdwheninformationmayleakthroughthesechannels.4.1.1.Policiesascovertchannels.Givenaconditioncthatmayoccurinapolicy,thesatisfactionofcmaydependonthetraceofthesystem,,asevidencedbytherelationcusedinSections2and3.Thus,thepoliciesenforcedonlocationsmayprovidecovertstoragechannels,modu-latedbythesatisfactionofconditions.Forexample,infor-mationlabeledwithpolicy`c `0,forsome`6v`0,mayowtoalocationlabeled`0onlywhentheconditioncissatis-ed;ifthesatisfactionofcdependsonsomesensitiveinfor-mation,observingthattheinformationowoccurredmayrevealit.Tomodeltheinformationthatmaybeobtainedbyob-servingthesatisfactionornon-satisfactionofacondition,weassumethatforanyconditioncoccurringinanypol-icyintheimageofpol(
),thereisa(probablyctitious)locationxcthatstoresthesatisfactionofc.Thatis,foranytraces0:::sk,wehavesk(xc)=trueifandonlyifs0:::skc.Thepolicythatxcislabeledwith,pol(xc),describestheinformationthatmaybelearnedbyobserv-ingwhethercissatised.Wedeneanotionofconditionindependencetodescribewheninformationisindependentofthesatisfactionofanyconditions;thisnotionwillbeusefulinlatersubsectionsdiscussingsemanticsecurityproperties.Intuitively,apol-icypiscondition-independentifinformationlabeledwithpcannotaffectthesatisfaction,ornon-satisfaction,ofanyconditioncinthesystem.Denition4.2:Apolicypiscondition-independentifforallconditionscthatoccurinanypolicyintheimageofpol(
),andforalltracesand0,wehavep60pol(xc),wherexcstoresthesatisfactionofc.Forexample,ifforallconditionscandtraces,there-lationccanbedeterminedbystaticallyexaminingthecodeofthesystem,andthecodeofthesystemisla-beledwithpolicy?L,thenforanyconditionc,wehavepol(xc)=?L;thus,anypolicypsuchthatp6?Lforallwillbeconditionindependent.4.1.2.Makingsystemspolicy-enforcing.Thedenitionofpolicy-enforcingsystemsisoflittlepracticalusewhenbuildingsystemsthatareintendedtoenforcethesecuritypolicies.Thedevelopmentoftechniquestobuildand/orver-ifythatsystemsenforcethesecuritypoliciesisthesubjectoffuturework.Sinceitisdifcultforpurelyrun-timemechanismstoen-forcestrictinformationowpolicies[11],weenvisionstaticanalysisastheprimarymethodofbuildingpolicy-enforcingsystems,forexample,atypesystemsimilartothosethatareusedinsecurity-typedlanguages(e.g.,[39,37,19,26,1,3,32]).However,additionalrun-timemechanisms,suchasmemoryregions[36,13,16],toensurethatlocationlife-timesarelimitedappropriately,mayproveusefulintheen-forcementoferasurepolicies.Theconnectionbetweensecurityandthedenitionofapolicy-enforcingsystemisnotimmediatelyapparent.How-ever,thedenitionprovidesthetoolsneededtoprovethatpolicy-enforcingsystemssatisfyvariousmoreintuitivese-manticsecurityconditions,asdiscussedintherestofthissection.4.2.NoninterferenceNoninterference[15]isasemanticsecurityconditionwhichrequiresthathighsecurityinputsdonotaffectlowse-curityoutputs.Theprecisedenitionsofinput,output,andhighandlowsecurityleadtoslightlydifferentdenitionsofnoninterference.Inthiscontext,wewillassumethatthesystem'sinputisgiveninasinglelocation;thatthesystem'soutputisallvaluesstoredinthelocationsduringthesubse-quentexecutionofthesystem;andthatinformationislowsecurityifitisobservablebyagivenattacker,andhighse-curityotherwise.Moreprecisely,consideranattackerwho,forsomelat-ticeelement`,isabletoobserveallandonlylocationsxsuchthatobs(pol(x))v`.Alocationisregardedashighsecurityifitisnotobservablebytheattacker,andlowsecu-rityifitis.8 returnsalowerboundonthesetf`j(;`)2[[p]]g,whereconds(;p)=C0:::Ck.Thefactthatlvl(p;C0:::Ck)re-turnsalowerboundismadeprecisebythefollowingprop-erty,whichwouldallowanequivalentstatementofnon-interferenceaccordingtopintermsoflvl(p;conds(;p)),withnoreferencetothesemanticsofpatall. lvl(`;C0:::Ck)=`lvl(pc p0;C0:::Ck)=lvl(p;C0:::Ck)ulflvl(p0;Ci:::Ck)jc2Ciglvl(pc%p0;C0:::Ck)=8:lvl(p;C0:::Ck)if8i21::k:c=2Cilvl(p;C0:::Ck)totherwiseFflvl(p0;Ci+1:::Ck)j8j21::i:c=2CjgFigure5.Denitionoflvl(p;C0:::Ck) Property4.8:Foranypolicypandtrace,(;`)2[[p]]ifandonlyiflvl(p;conds(;p))v`.Noninterferenceaccordingtopolicypallowsne-grainedreasoningabouttheend-to-endinformationowbehaviorofasystem,eveninthepresenceofdeclassi-cationanderasure.Theequivalentstatementofnoninter-ferenceaccordingtopallowsustoreasonaboutthebe-haviorofasystemsolelyintermsofsequencesofsatisedconditions.Forexample,considerapolicy-enforcingsys-temwhoseinputhasthepolicyHd (Lc%H)forasimpletwopointlatticewhereLvHandL6=H.Byconsider-ingpossiblesequencesofsatisedconditions,wecanmakesomestrongstatementsabouttheinformationowbe-haviorofthesystem.Anytraceofthesysteminwhichtheconditiondisneversatisedwillrevealnoinforma-tionabouttheinputtoanattackerwhocanobserveonlyatlevelL,sincelvl(Hd (Lc%H);C0:::Ck)=H,whered=2Ciforalli20::k.Thisseemsareasonableclaim,be-causeifdisneversatised,nodeclassicationofthein-putmayoccur.Similarly,wecanseethatforanytraceinwhichtheconditiondisneversatisedafterthecondi-tioncis,noinformationabouttheinputisavailableattheendofthetracetoanL-attacker.Thisresultismorein-teresting:despitethefactthatinformationabouttheinputisdeclassiedandobservableatlevelLduringtheexecu-tion,bytheendofthetrace,noinformationabouttheinputisavailableatlevelL.Noninterferenceaccordingtopolicypallowsreason-ingabouttheinteractionbetweendeclassicationandera-sure,resultinginstrongersecurityguaranteesthancanbeachievedintheabsenceofinformationerasure.Noninterferenceaccordingtopolicypgeneralizesause-fulsemanticsecurityconditionnoninterferenceuntilde-classication[7],anditsequivalentforerasurepolicies,noninterferenceaftererasure.4.4.NoninterferenceaftererasureNoninterferenceuntildeclassication[7]isasecuritypropertythatensuresanattackercannotobserveanyinfor-mationaboutasecretinputuntilanappropriatesequenceofdeclassicationshasoccurred.Inthepresenceofinfor-mationerasure,thereisacorrespondingsemanticsecurityconditionforerasure:noninterferenceaftererasure.Intu-itively,afteranappropriatesequenceoferasureshaveoc-curredonsomeinputdata,anattackershouldnotbeabletoviewanyinformationabouttheinput.Unlikenoninterfer-enceuntildeclassication,wheremoreinformationabouttheinputbecomesavailableastimeprogresses,thesys-temholdslessinformationabouttheinputastheappropri-ateerasuresoccur.Noninterferenceaftererasureprovidesausefulsecurityguaranteeforprivacyandanonymitycon-cerns,wherewewouldliketoensurethatcertaininforma-tionisnotretainedbyasystem.Thedenitionofnoninterferenceaftererasurecloselyparallelsthatofnoninterferenceuntildeclassica-tion.Wewritec1:::cmwhenthereisanon-decreasingsequenceofnaturalnumbersn1:::nmsuchthatconds(;p)=C1:::Ckandci2Cnifori21::m.Denition4.9:Asystemisnoninterferingatsecu-ritylevel`afterconditionsc1:::cmforlocationhsuchthatpol(h)=`1c1%(`2c2%(


ck�2%(`k�1ck�1%`k)


),wheremk,ifforanytwovaluesv1andv2,andanystatessuchthatboths0=s[h7!v1]ands00=s[h7!v2]arefeasible,if1=s0:::skisatracesuchthat1c1:::cmthenthereisatrace2=s00:::s0ksuchthat2c1:::cmand[sk]L`=[s0k]L`.Theorem4.10:IfSisapolicy-enforcingsys-tem,thenforanycondition-independentpolicyp`1c1%(`2c2%(


ck�2%(`k�1ck�1%`k)


),anyloca-tionhsuchthatpol(h)=p,andanysecuritylevel`suchthat,`1t:::t`m+16v`,formk,thenSisnoninterfer-ingatsecuritylevel`afterconditionsc1:::cmforlocationh.Proof:Foranytracesuchthatc1:::cm,wehave`1t:::t`m+1vlvl(p;conds(;p)).TheresultfollowsfromTheorem4.7. 4.5.RobustnessRobustdeclassication[41,29,40]isasemanticsecu-rityconditionthatrestrictswhatinformationanactiveat-tackermayobtainfromasystemthatdeclassiesinforma-tion.Inparticular,asystemisrobustifanactiveattacker10 CuppensandGabillon[9]considertheproblemoftem-poraldowngradingrulesinamulti-leveldatabase.Theypresentalanguage,basedonamodalrstorderlogic,thatcapturesthesemanticsoftemporaldatabases,andpermitsthespecicationofdowngradingrules;theirdowngradingrulesareexpressive,permittingthespecicationofdown-gradingataspecictime,afteradelay,oronacertainevent(suchasauserexplicitlyrequestingtodowngradetheinfor-mation).Intransitivenoninterference[34,30,33]isaninforma-tionowconditionbasedonnoninterferencethatdescribesthebehaviorofsystemsthatdeclassifyinformation.Whileintransitivenoninterferencedoesnotaddressinformationerasure,thereisacloseconnectionbetweenitandtheen-forcementofthepqrelationship.Infact,declassi-cationpoliciesareanextensionofintransitivenoninterfer-encewithtemporalproperties:ineachcomputationstep,in-formationowsbetweenlevelsonlyifthatowispermit-tedandappropriateconditionsaretrueforthatcomputationstep[7].RecentworkbyMantelandSands[24]placesintran-sitivenoninterferenceinalanguagesetting,providingabisimulation-basedsecurityconditionformulti-threadedprogramsthatcontrolswhereinformationcanbedeclassi-ed,andatypesystemthatenforcesthiscondition.Someotherapproachestoreasoningaboutdeclassi-cationinaninformationowsetting,suchasquantita-tiveinformationow(e.g.,[25,22,12,?])andrelativese-crecy[38]seektomeasureorboundtheamountofinfor-mationthatisdeclassied.Thisworkislargelyorthogonaltothedeclassicationpoliciesofthispaper,which(inthiscontext)areconcernedonlywithpossibilisticsecurityas-surances.ZhengandMyers[42]showthatnoninterferencecanbeachievedinthepresenceofdynamiclabels.Dynamicla-belshaveacloseconnectiontodeclassicationanderasurepolicies,sincetheconditionsfordeclassicationandera-suremaydependonruntimedata.Inparticular,bothcon-trolthesecuritypoliciesofdataatruntime,andmaythem-selvesdependonruntimedata,andthus,bothmaybeusedtomodulatecovertchannels.MostofthesemanticsecurityconditionsofSection4requirethepolicyoftheinputlo-cationtobecondition-independent;itshouldbepossibletouseZhengandMyers'techniquesforreasoningaboutandcontrollinginformationowfromdynamiclabelstoprovenoninterferenceresultsthatholdevenwhenthepolicyoftheinputlocationisnotconditionindependent.Thedecentralizedlabelmodel[27,28]isasecuritypol-icyframeworkthatpermitsmutuallydistrustingownersofinformationtospecifywhoispermittedtoreadthatinfor-mation;onlyinformationownersmaydeclassifytheinfor-mationtheyown.Thedecentralizedlabelsformalattice,whichcanbeusedasthebaselatticeofthesecuritypoliciesofthispaper.Recentworkhasgeneralizeddecentralizedla-belstoownedpolicies[6];thesecuritypoliciesofthispa-per(instantiatedwithabaselatticeofsetsofreaders)couldbeusedasthepoliciesthatareownedbysecurityprinci-pals.Theuseofconditionstodeterminewhendeclassicationispermittedanderasurerequiredaddsatemporalelementtotheinformationsecuritypolicies.Assuch,thereisacon-nectionbetweenthepoliciesofthispaperandtemporallog-ics,suchasLTL[23]andCTL[8].Inparticular,ifinforma-tionhasadeclassicationpolicypc qenforcedonit,thenapolicy-enforcingsystemensuresthatatalltimes,ifthein-formationisdeclassiedfromptoq,thentheconditioncistrue.(Theconditionccoulditselfbeatemporallogicfor-mula,iftheframeworkissoinstantiated.)Givensufcientpredicatestoreasonaboutdeclassication,thisguaranteecouldbeformallystatedinatemporallogic.Similarly,ifinformationhasanerasurepolicypc%qenforcedonit,thenapolicy-enforcingsystemensuresthatatalltimes,ifcistruethentheinformationiseitherremovedfromthesys-tem,orhasbothpandqenforcedonit.Again,givensuf-cientpredicates,thisguaranteecouldbeformallystatedinatemporallogic.Barthe,D'ArgenioandRezk[4]usethetechniqueofself-compositiontostatenoninterferenceasatemporallogicformula;thesametechniquemayallownon-interferenceaccordingtopolicyptobestatedasatemporallogicformula.6.ConclusionTherehasbeenagreatdealofworkonenrichingin-formationowpoliciestosupportinformationrelease,butwearenotawareofanypriorworkoninformationera-sure,eventhougherasurepoliciesappeartobeanimpor-tantaspectofinformationsecurityrequirements.Thispaperpresentsaframeworkforstrongerasurepolicies,includingsupportforbothdeclassicationanderasure.Thepolicylanguageallowsthespecicationofpoliciesthatcombinelatticelevels,declassication,anderasureincomplexways.Themay-owrelationsupportsstaticordy-namicreasoningaboutowsofinformationannotatedwiththepolicies.Wehavealsogivenaformalsemanticstothesepoliciesandshownthatthissemanticsisconsistentwiththemay-owrelationandanotionofobservationallevel.Afor-maldenitionofwhatitmeansforatrace-basedsystemtoenforceapolicyhasbeengiven;thisdenitionthenmakesitpossibletoshowthatanypolicy-enforcingsystemsatis-esvarioususefulgeneralizationsofnoninterference.Basinginformationsecurityoninformationowpoliciesoffersthepromiseofstrong,end-to-endsecurityassurance.However,informationowpoliciesneedtobemuchmoreexpressivetocapturethesecurityrequirementsofrealsys-tems.Infact,thisworkwasmotivatedbyanattempttocap-12 [31]F.PottierandS.Conchon.Informationowinferenceforfree.InProc.5ndACMSIGPLANInternationalConferenceonFunctionalProgramming(ICFP),pages46–57,2000.[32]F.PottierandV.Simonet.InformationowinferenceforML.InProc.29thACMSymp.onPrinciplesofProgram-mingLanguages(POPL),pages319–330,2002.[33]A.W.RoscoeandM.H.Goldsmith.Whatisintransitivenon-interference?InProc.12thIEEEComputerSecurityFoun-dationsWorkshop,1999.[34]J.Rushby.Noninterference,transitivityandchannel-controlsecuritypolicies.TechnicalReportCSL-92-02,SRI,Dec.1992.[35]A.SabelfeldandA.C.Myers.Amodelfordelimitedre-lease.InProceedingsofthe2003InternationalSymposiumonSoftwareSecurity,number3233inLectureNotesinCom-puterScience,pages174–191.Springer-Verlag,2004.[36]M.TofteandJ.-P.Talpin.Region-basedmemorymanage-ment.InformationandComputation,132(2):109–176,1997.[37]D.VolpanoandG.Smith.Atype-basedapproachtopro-gramsecurity.InProceedingsofthe7thInternationalJointConferenceontheTheoryandPracticeofSoftwareDevel-opment,pages607–621,1997.[38]D.VolpanoandG.Smith.Verifyingsecretsandrelativese-crecy.InProc.27thACMSymp.onPrinciplesofProgram-mingLanguages(POPL),pages268–276,Boston,MA,Jan.2000.[39]D.Volpano,G.Smith,andC.Irvine.Asoundtypesys-temforsecureowanalysis.JournalofComputerSecurity,4(3):167–187,1996.[40]S.Zdancewic.Atypesystemforrobustdeclassication.InProceedingsoftheNineteenthConferenceontheMathe-maticalFoundationsofProgrammingSemantics,ElectronicNotesinTheoreticalComputerScience,Mar.2003.[41]S.ZdancewicandA.C.Myers.Robustdeclassication.InProc.14thIEEEComputerSecurityFoundationsWorkshop,pages15–23,CapeBreton,NovaScotia,Canada,June2001.[42]L.ZhengandA.C.Myers.Dynamicsecuritylabelsandnon-interference.InProc.2ndWorkshoponFormalAspectsinSecurityandTrust,IFIPTC1WG1.7.Springer,Aug.2004.A.ProofofTheorem3.4Proof:Byinductiononthejudgmentpq.Theinductivehypothesisisthatforanypremiseoftheformp00q0,wehave[[p0]]0[[q0]]0.(MF-LATTICE),(MF-TRANS).Trivial.(MF-DECL).Herepp00c q,andc.Wehave[[p00c q]]=[[p00]][f(00;`)2[[q]]0j0and0cg[[q]],sincec.(MF-DECL-I).Hereqq0d q00,andpq0,andpq00,andforall0,if0dthenq00isvalidforalltracesbetweenand0.Wehave[[q0d q00]]=[[q0]][f(00;`)2[[q00]]0j0and0dg.Bytheinductivehypoth-esis,wehave[[p]][[q0]],and[[p]][[q00]].Now,if(00;`)2[[q00]]0forsome0extendingsuchthat0d,thenweknowthatvalid(q00;[;0)),andthus,byProp-erty3.2[[q00]][[q00]]0.Therefore,[[p]][[q00]]0,andso(00;`)2[[p]],and[[p]][[q]]asrequired.(MF-DECL-E).Herepqc p0.Clearly,[[p]][[q]].(MF-DECL-DECL).Herepp0c p00andqq0d q00,andforall0,if0dthen0candp000q00.Bytheinductivehypothesis,wehave[[p0]][[q0]].Also,forany0suchthat0d,wehave0c,andp000q00,sobytheinductivehypothesis,[[p00]]0[[q00]]0.Sowehave[[p0c p00]][[q0d q00]].(MF-ERASE-E).Herepp0c%p00,and,bytheinduc-tivehypothesis,[[p0]][[q]]and[[p00]][[q]].Thus[[p0]]\[[p00]][[q]].Since8tau00:00)002cistriviallytrue,wehave[[p]][[p0]]\[[p00]],so[[p]][[q]]asrequired.(MF-ERASE-I).Hereqpd%q0.Clearly,[[p]][[q]].(MF-ERASE-ERASE).Herepp0c%p00andqq0d%q00.Bytheinductivehypothesis,wehave[[p0]][[q0]]andforall0,if0cthen0dand[[p00]]0[[q00]]0.Con-versely,forall0suchthat02dwehave02c,andthusforany0suchthatforall00,000)002dwehave[[p00]]0[[q00]]0.Thus[[p]][[q]]asrequired. B.ProofofLemma4.5LetSbeapolicy-enforcingsystemandphbeacondition-independentpolicy.Lets0:::sksk+1ands00:::s0kbetwotracessuchthatforalllocationsx,ifsk(x)6=s0k(x)thenphs0:::skpol(x).SinceSispol-icyenforcing,thereisastates0k+1suchthats0k!s0k+1,suchthatforalllocationsx,ifsk+1(x)6=s0k+1(x)thenthereisalocationysuchthatsk(y)6=s0k(y)andpol(y)s0:::sk+1pol(x).Supposethereissomelocationxsuchthatsk+1(x)6=s0k+1(x)andph6s0:::sk+1pol(x).Thenthereisalocationysuchthatsk(y)6=s0k(y)andpol(y)s0:::sk+1pol(x).Sincephisconditionin-dependent,valid(pol(x);s0:::sk+1)ifandonlyifvalid(pol(x);s00:::s0k+1),andsincesk+1(x)6=s0k+1(x),itmustbethecasethatvalid(pol(x);s0:::sk+1).Sim-ilarly,itmustbethecasethatvalid(pol(y);s0:::sk).Therefore,phs0:::sk+1pol(x),acontradiction.Therefore,foralllocationsx,ifsk+1(x)6=s0k+1(x)thenphs0:::sk+1pol(x). 14