Assuming You Know: Epistemic Semantics of Relational Annotations for Expressive Flow Policies

Many high-level security requirements are about the allowed flow of information in programs, but are difficult to make precise because they involve selective downgrading. Quite a few mutually incompatible and ad-hoc approaches have been proposed for specifying and enforcing downgrading policies. Prior surveys of these approaches have not provided a unifying technical framework. Notions from epistemic logic have emerged as a good approach to policy semantics but are considerably removed from well developed static and dynamic enforcement techniques. We develop a unified framework for expressing, giving meaning and enforcing information downgrading policies that builds on commonly known and widely deployed concepts and techniques, especially static and dynamic assertion checking. These concepts should make information flow accessible and enable developers without special training to specify precise policies. The unified framework allows to directly compare different policy specification styles and enforce them by leveraging existing techniques.

• Publication year

  2018

• Venue

  IEEE Computer Security Foundations Symposium

• Publication date

  2018-07-01

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1109/CSF.2018.00021
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Proving expected sensitivity of probabilistic programs

  2017cited by this paper
• CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

  2017cited by this paper
• Nonmalleable Information Flow Control

  2017cited by this paper
• Calculational Design of Information Flow Monitors

  2016influential reference
• Hybrid Monitoring of Attacker Knowledge

  2016cited by this paper
• Relational Logic with Framing and Hypotheses

  2016cited by this paper
• A Calculus for Flow-Limited Authorization

  2016cited by this paper
• Dynamic Enforcement of Dynamic Policies

  2015cited by this paper
• The Anatomy and Facets of Dynamic Policies

  2015cited by this paper
• Monitor inlining for declassification policy

  2015cited by this paper
• An Analysis of Universal Information Flow Based on Self-Composition

  2015cited by this paper
• The Algorithmic Foundations of Differential Privacy

  2014cited by this paper
• Information Flow Monitoring as Abstract Interpretation for Relational Logic

  2014influential reference
• Stateful Declassification Policies for Event-Driven Programs

  2014cited by this paper
• Relational abstract interpretation for the verification of 2-hypersafety properties

  2013cited by this paper
• Dependent Type Theory for Verification of Information Flow and Access Control Policies

  2013cited by this paper
• Learning is Change in Knowledge: Knowledge-Based Security for Dynamic Policies

  2012influential reference
• Flexible dynamic information flow control in Haskell

  2012cited by this paper
• End-to-end Multilevel Hybrid Information Flow Control

  2012cited by this paper
• Epistemic temporal logic for information flow security

  2011influential reference
• Verification of Information Flow and Access Control Policies with Dependent Types

  2011cited by this paper
• Attacker Control and Impact for Confidentiality and Integrity

  2011influential reference
• Noninterference through Secure Multi-execution

  2010cited by this paper
• Information Flow Monitor Inlining

  2010cited by this paper
• Paralocks: role-based information flow control and beyond

  2010cited by this paper
• Towards Static Flow-Based Declassification for Legacy and Untrusted Programs

  2010cited by this paper
• Tight Enforcement of Information-Release Policies for Dynamic Languages

  2009cited by this paper
• Non-Interference for Deterministic Interactive Programs

  2009cited by this paper
• Flow-sensitive semantics for dynamic information flow policies

  2009cited by this paper
• Reactive noninterference

  2009cited by this paper
• Tractable Enforcement of Declassification Policies

  2008cited by this paper
• Specification and Checking of Software Contracts for Conditional Information Flow

  2008cited by this paper
• Verified enforcement of stateful information release policies

  2008cited by this paper
• Expressive Declassification Policies and Modular Static Enforcement

  2008influential reference
• Linear Declassification

  2008cited by this paper
• Gradual Release: Unifying Declassification, Encryption and Key Release Policies

  2007influential reference
• Controlling the What and Where of Declassification in Language-Based Security

  2007cited by this paper
• Localized delimited release: combining the what and where dimensions of information release

  2007cited by this paper
• Information-flow security for interactive programs

  2006cited by this paper
• Dimensions and principles of declassification

  2005cited by this paper
• Simple relational correctness proofs for static analyses and program transformations

  2004cited by this paper
• The calculational design of a generic abstract interpreter

  1999cited by this paper

• Extending Dynamic Logics with First-Class Relational Reasoning

  2025cites this paper
• Assume but Verify: Deductive Verification of Leaked Information in Concurrent Applications

  2023influential citation
• Dynamic Policies Revisited

  2022cites this paper
• Towards a General-Purpose Dynamic Information Flow Policy

  2021cites this paper
• Reconciling progress-insensitive noninterference and declassification

  2020cites this paper