skip to main content
10.1145/2166956.2166961acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Capabilities for information flow

Published: 05 June 2011 Publication History

Abstract

This paper presents a capability-based mechanism for permissive yet secure enforcement of information-flow policies. Language capabilities have been studied widely, and several popular implementations, such as Caja and Joe-E, are available. By making the connection from capabilities to information flow, we enable smooth enforcement of information-flow policies using capability systems. The paper presents a transformation that given an arbitrary source program in a simple imperative language produces a secure program in a language with capabilities. We present formal guarantees of security and permissiveness and report on experiments to enforce information-flow policies for web applications using Caja.

References

[1]
T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2009.
[2]
T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2010.
[3]
D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, Vol. 1, MITRE Corp., Bedford, MA, 1973.
[4]
G. Bierman, M. Hicks, P. Sewell, G. Stoyle, and K. Wansbrough. Dynamic rebinding for marshalling and update, with destruct-time Λ. In In Proc. International Conference of Functional Programming, pages 99--110. ACM Press, 2003.
[5]
A. Birgisson, A. Russo, and A. Sabelfeld. Unifying Facets of Information Integrity. In Information Systems Security: 6th International Conference, ICISS 2010, volume 6503 of LNCS, pages 48--65. Springer-Verlag, 2010.
[6]
A. Birgisson, A. Russo, and A. Sabelfeld. Capabilities for information flow. Technical report, Chalmers University of Technology, Apr. 2011. Located at http://www.cse.chalmers.se/~russo/flowcaps-tr.pdf.
[7]
A. Chudnov and D. A. Naumann. Information flow monitor inlining. In Proc. IEEE Computer Security Foundations Symposium, July 2010.
[8]
E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297--335. Academic Press, 1978.
[9]
D. Crockford. Making javascript safe for advertising. ad-safe.org, 2009.
[10]
D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504--513, July 1977.
[11]
J. B. Dennis and E. C. VanHorn. Programming semantics for multiprogrammed computations. Comm. of the ACM, 9(3):143--155, Mar. 1966.
[12]
D. Devriese and F. Piessens. Non-interference through secure multi-execution. In Proc. IEEE Symp. on Security and Privacy, May 2010.
[13]
The E language. http://erights.org/elang/.
[14]
ECMA International. Standard ECMA-262, 5th edition, 2009.
[15]
Secure ecmascript. http://wiki.ecmascript.org/doku.php?id=ses:ses, 2009.
[16]
U. Erlingsson. The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University, Ithaca, NY, USA, 2004.
[17]
FBJS. http://wiki.developers.facebook.com/index.php/FBJS, 2009.
[18]
J. S. Fenton. Memoryless subsystems. Computing J., 17(2):143--147, May 1974.
[19]
J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, Apr. 1982.
[20]
K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability classes for enforcement mechanisms. ACM TOPLAS, 28(1):175--205, 2006.
[21]
Y. Jaradin, F. Spiessens, and P. V. Roy. Capability confinement by membranes. Technical Report RR2005-03, Universit catholique de Louvain, 2005.
[22]
Y. Jaradin, F. Spiessens, and P. V. Roy. SCOLL: A language for safe capability based collaboration. Technical report, Universit catholique de Louvain, 2005.
[23]
L. Jia and S. Zdancewic. Encoding information flow in aura. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS '09. ACM, 2009.
[24]
G. Le Guernic, A. Banerjee, T. Jensen, and D. Schmidt. Automata-based confidentiality monitoring. In Proc. Asian Computing Science Conference (ASIAN'06), volume 4435 of LNCS. Springer-Verlag, 2006.
[25]
X. Leroy and F. Rouaix. Security properties of typed applets. In In Conference Record of POPL '98: The 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 391--403. ACM Press, 1999.
[26]
H. M. Levy. Capability-Based Computer Systems. Butterworth-Heinemann, 1984.
[27]
S. Maffeis, J. C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In Proceedings of IEEE Security and Privacy'10. IEEE, 2010.
[28]
J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proc. ACM Symposium on Information, Computer and Communications Security (ASIACCS), Apr. 2010.
[29]
J. Magazinius, A. Russo, and A. Sabelfeld. On-the-fly inlining of dynamic security monitors. In Proceedings of the IFIP International Information Security Conference (SEC), Sept. 2010.
[30]
J. McLean. Security models and information flow. In Proc. IEEE Symp. on Security and Privacy, pages 180--187, May 1990.
[31]
J. McLean. The specification and modeling of computer security. Computer, 23(1):9--16, Jan. 1990.
[32]
A. Mettler and D. Wagner. The Joe-E language specification (draft). Technical report, U. C. Berkeley, 2006.
[33]
M. Miller. Robust composition: Towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, 2006.
[34]
M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript, 2008.
[35]
M. Miller, K. Yee, and J. Shapiro. Capability myths demolished. Technical Report SRL2003-02, Johns Hopkins University, 2003.
[36]
A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. ACM Symp. on Principles of Programming Languages, pages 228--241, Jan. 1999.
[37]
Programmable web. http://programmableweb.com.
[38]
J. A. Rees. A security kernel based on the lambda-calculus. Technical report, Massachusetts Institute of Technology, 1996.
[39]
A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE Computer Security Foundations Symposium, July 2010.
[40]
P. D. Ryck, M. Decat, L. Desmet, F. Piessens, and W. Joose. Security of web mashups: a survey. In Nordic Conference in Secure IT Systems, LNCS, 2010.
[41]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5--19, Jan. 2003.
[42]
A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS. Springer-Verlag, June 2009.
[43]
A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. J. Computer Security, 17(5):517--548, Jan. 2009.
[44]
F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30--50, 2000.
[45]
F. Spiessens and P. Van Roy. A practical formal model for safety analysis in capability-based systems. In Trustworthy Global Computing, volume 3705 of LNCS, pages 248--278. Springer-Verlag, 2005.
[46]
M. Stiegler. Emily: A high performance language for enabling secure cooperation. In C5, pages 163--169, 2007.
[47]
D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167--187, 1996.
[48]
G. Winskel. The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge, MA, 1993.

Cited By

View all
  • (2017)Fabric: Building open distributed systems securely by constructionJournal of Computer Security10.3233/JCS-1580525:4-5(367-426)Online publication date: 10-Jul-2017
  • (2017)Multiple Facets for Dynamic Information Flow with ExceptionsACM Transactions on Programming Languages and Systems10.1145/302408639:3(1-56)Online publication date: 10-May-2017
  • (2016)On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks2016 IEEE 29th Computer Security Foundations Symposium (CSF)10.1109/CSF.2016.18(150-163)Online publication date: Jun-2016
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLAS '11: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
June 2011
89 pages
ISBN:9781450308304
DOI:10.1145/2166956
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 June 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. capabilities
  2. information flow control

Qualifiers

  • Research-article

Conference

PLDI '11
Sponsor:

Acceptance Rates

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)7
  • Downloads (Last 6 weeks)3
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2017)Fabric: Building open distributed systems securely by constructionJournal of Computer Security10.3233/JCS-1580525:4-5(367-426)Online publication date: 10-Jul-2017
  • (2017)Multiple Facets for Dynamic Information Flow with ExceptionsACM Transactions on Programming Languages and Systems10.1145/302408639:3(1-56)Online publication date: 10-May-2017
  • (2016)On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks2016 IEEE 29th Computer Security Foundations Symposium (CSF)10.1109/CSF.2016.18(150-163)Online publication date: Jun-2016
  • (2015)It's My PrivilegeProceedings of the 11th International Workshop on Security and Trust Management - Volume 933110.1007/978-3-319-24858-5_13(203-219)Online publication date: 21-Sep-2015
  • (2014)How to Break the Bank: Semantics of Capability PoliciesIntegrated Formal Methods10.1007/978-3-319-10181-1_2(18-35)Online publication date: 2014
  • (2013)Faceted execution of policy-agnostic programsProceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security10.1145/2465106.2465121(15-26)Online publication date: 20-Jun-2013
  • (2012)Multiple facets for dynamic information flowProceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages10.1145/2103656.2103677(165-178)Online publication date: 25-Jan-2012
  • (2012)Multiple facets for dynamic information flowACM SIGPLAN Notices10.1145/2103621.210367747:1(165-178)Online publication date: 25-Jan-2012
  • (2012)COASTProceedings of the 2012 Joint Working IEEE/IFIP Conference on Software Architecture and European Conference on Software Architecture10.1109/WICSA-ECSA.212.15(71-80)Online publication date: 20-Aug-2012
  • (2012)Sharing Mobile Code Securely with Information Flow ControlProceedings of the 2012 IEEE Symposium on Security and Privacy10.1109/SP.2012.22(191-205)Online publication date: 20-May-2012
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media