<body><pre>
Information Flow Security

End-to-End security
  near-term-goal:
    --ensuring programs are memory-safe, type-safe, so fine
      grained access control policies can be enforced
  long-term-goal:

Confidentiality
  Simple version
    - access control
    - encryption (no computation can be done)

  End-to-end version
    - not be improperly released by computation
    - requires information flow

Integrity
  Simple version
    - access control
    - digital signatures (no computation can be done)

  End-to-end version
    - information should not be updaed on the basis of
      less trustworthy information

Intentional vs. Extensional Security
  Access Control is intensional:
    security requirements expressed in terms of program
    artifacts
  Information flow is (ideally) extensional:
    regulates observable behavior of program rather than
    internals

Information Channels
  - End-to-End security requires controlling information
    channels (lampson 73)
  - storage channels: explicit inforamtion transmission
  - covert channels: by mechanisms not intended for signalling
    information (system load, run time, locks)
  - timing channels: by when something happens rather than what
    happens

Implicit Flows
  - covet storage channels arising from control flow
    e.g.
       boolean b = <secret>
       if (b) {
	 x = true; f();
       }
  - creates info flow from b to x
  - run-time check requires WHOLE PROCESS LABELLED SCRET after
    branch. (mandatory access control, using labels)

Multilevel Security (MLS)
  - originally, computer and networks segregated by security
    class of information used
  - idea: build one system that can securely manipulate
    information of different classes
    - goal is end-to-end secrecy
    - mandatory access control one possible
  - one attemp: multics/AIM ring model
    - protects kernel from users, but not users

  Multilevel Security Policies (Feiertag et al, 1977)
  - Security level is a pair (A, C) where A is from a 
    totall ordered set nad C is a set of categories
    e.g.
       Top secret
       Secret
       Classified
       Unclassified
    e.g.
       data labeled
       (A1, C1) \in (A2, C2) iff
	  (A1 <= A2) and (C1 <= C2)

  Ordering security policies (Denning, 1976)
  - information flow policies are partial orders

  Lattices
  - if there is a least restrictive policy that upper
    bounds any two policies (by 'join'), policies form lattice.
  - simplest policy system is boolean lattice.
  - it supports reasoning about info channels that merge and
    split (using least-upper-bound and greatest-lower-bound)
  - security levels may in general form a lattice
  - integrity can be described as a label too
    -- prevent bad data from affecting good data
    -- L1 \includesIn L2 mean info can flow from L1 to L2,
       L2 has a lower intergrity requirement, so use of data
       is more restricted
    -- integirty is a dual of confidentiality in this notions
  - combined properties
		 H(c), L(i)
          L(c),L(i)       H(c), H(i)
		 L(c), H(i)
  
		 less readable
          less secure          more secure
		 less writable

Static Analysis of information flow
  (Denning & Denning, 1977)
  - inference algo for determing whether variables are high
    or low
  - program counter label tracks implicit flows

Noninterference
  - low security behavior of the program is not affected by
    any high security data
  - confidentiality: high = confidential, low = public
    integrity: low(high integrity) = trusted, 
	       high(low intergirty) = untrusted
  - a formalization
    behaviors of system C don't reveal more info than the
    low inputs.
    s1 =L s2  => [[C]]s1 =L [[C]]s2
    "lower observer doesn't learn anything new from execution"

Downgrading & Declassification
  - Noninterference is too strong
  - idea: add escape hatch mechanism to allow system
    to move data labels downward
  - weakending confidentiality restrictions
  - e.g.
       if (password = pw) login;
       (declassfied the comparison, as infomration inevitably
	leak)

Decentralized label model (ML97)
  idea: use access control to control what declassifications
	are allowed
  principals own parts of the labels and can rewrite its part
  of the label

Intransitive Noninterference (INI)
  augments with downgrading arcs in lattice model.

Endorsement
  Dual of declassification: upgrades integrity

Q: Noninterference doesn't hold in presence of downgrading; no
   equivalently compelling externsional property

Robust Declassification (ZM01, MSZ04)
   Attacker learns nothing more by changing attack
   Forany s1, s2, a, a'. s1 =L s2 =>
      [[C[a]]]s1 =L [[C[a]]]s2 => [[C[a']]]s1 =L [[C[a']]]s2

Possibilistic SEcurity [sutherland 1986, mcCullough 1987]
  Result of a system [[C]]s is a set of possible outcomes \tau
  - outcome could be a trace \tao = s->s'->s"->...

  What's wrong?
  - Round-robin scheduler: deterministic behavior
  - Random scheduler: get most probable value

Low-view observational determinism
  Like Robust Declassification, but \forany is applied to the =L
  clauses.

Open areas:
  - dealing with inforamtion release
  - information flow in concurrent and distributed systems
  - application to richer security policies (privacy, anonmymity, ...)

</pre></body>
