Information Release Policy Based On Programming Language Mechanisms

Confidentiality is one of the trusted properties of software. The traditional methods of protectingconfidentiality are access control and encryption, which can not provide end-to-end confidentiality.Information flow control policies try to achieve the goal of end-to-end confidentiality through controlinformation propagation. Noninterference policy is a basic security policy in information flow controlpolicies and it states that the public output of a system must not depend on the confidential input ofthis system. The restrictiveness of noninterference policy is so strong that many secure applicationprograms inevitably violate this policy due to its need of function. Hence we should relax therestrictiveness of noninterference policy and information release policy is a relaxed noninterferencepolicy. We study the information release policy based on mechanisms of programming language,specially summarized as follows:(1) We propose the semantic condition of the two-dimension information release policy and itsenforcement mechanism to overcome the limitations of single dimension policy. Firstyly, we proposea two-dimension information release policy combining WHAT and WHERE dimensions in sequentialprogramming language, based on knowledge model of attacker. The WHAT dimension of the policycontrols the amount of information released can not exceed the amount of the information expectedreleased, and the WHERE dimension of the policy confines the release location of information onlythrough the special statement. Secondly, we propose three kinds of enforcement mechanisms of thispolicy:(i) The sound type rules are established. The program which is well-typed according to thetype rules will satisfy the two-dimension information release policy.(ii) The monitoring mechanismof the two-dimension policy is established based on the theory of automaton. During the execution ofprogram, abstractions of command events are sent to the automaton as inputs. The automaton usesthese inputs to track information flows and control the execution of the program by forbiddingdangerous commands violating the information release policy. The soundness of the automatonmonitoring is proved.(iii) The in-lined monitoring mechanism is also established to enforce thisinformation release policy. The mechanism generates a new application combining the policy andsource code through a trusted rewriting process. The observational equivalence of monitoringmechanism based on the virtual machine and the in-lined monitoring mechanism guarantees thesoundness of the in-lined monitoring mechanism. Lastly, we extend this two-dimension policy to themutil-thread program language and prove the soundness. The proposed policy has finer granularity ofcontrolling the release of confidential information due to combination of two dimensions, so it can resist the information laundering attack better. Three different enforcement mechanisms of this policycan be applied to different applications.(2) We propose the three-dimensio information release policy combining WHAT, WHERE andWHO dimensions and its enforcement mechanism, in order to enhance the ability of resistinformation laundering attack. The key idea of WHAT dimension of the policy is that attacker is notallowed to increase observations about confidential information by causing misuse of the informationrelease mechanism, WHERE dimension of the policy controls confidential information is not allowedto release before its release statement, and WHO dimension of the policy prevents the attacker frominfluencing whether confidential information is released based on the restrictiveness of integrity.Additionally, the type rules are established for the policy enforcement and the soundness of the typerules is proved.(3) We propose the quantitative information release policy which is more flexible, in order toovercome the shortcomings of overly restrictive qualitative analysis. We relax restrictiveness ofrobustness of information release policy from the quantitative aspect, and present the concept ofrobustness rate based on the theory of information flow quantitative analysis. We implement thequantitative analysis model of information release based on bounded model checking, providing thebase for the calculation of robustness rate. We make theoretical and experimental analysis ofrobustness of average salary’s laundering attack respectively, and the two results are consistent.Quantitative robust release policy can achieve flexible control of information release by the differentthresholds.