A Partial Ordered Number System for Information Flow Control

Full Text (PDF, 363KB), PP.1-13

Views: 0 Downloads: 0

Author(s)

Shih-Chien Chou 1,*

1. Department of Computer Science and Information Engineering, National Dong Hwa University, Taiwan

* Corresponding author.

DOI: https://doi.org/10.5815/ijitcs.2013.04.01

Received: 28 Jun. 2012 / Revised: 20 Oct. 2012 / Accepted: 17 Jan. 2013 / Published: 8 Mar. 2013

Index Terms

Information Flow Control, Information Leakage Prevention, Security, Access Control, Partial Ordered

Abstract

Information flow control models can be applied widely. This paper discusses only the models preventing information leakage during program execution. In the prevention, an information flow control model dynamically monitors statements that will cause information flows and ban statements that may cause leakage. We involved in the research of information flow control for years and identified that sensitive information may be leaked only when it is output. However, most existing models ignore information flows induced by output statements. We thus designed a new model XIFC (X information flow control) that especially emphasizes the monitoring of output statements. We also designed XIFC as a precise and low runtime overhead model. To achieve this purpose, we took a different viewpoint to re-examine the features offered by existing models and extracted a necessary feature set for the design. Our experiments show that XIFC bans every non-secure information flow and substantially reduces runtime overhead when comparing with our previous work.

Cite This Paper

Shih-Chien Chou,"A Partial Ordered Number System for Information Flow Control", International Journal of Information Technology and Computer Science(IJITCS), vol.5, no.4, pp.1-13, 2013. DOI:10.5815/ijitcs.2013.04.01

Reference

[1]Li P. and Zdancewic S. Practical Information-flow Control in Web-based Information Systems. In: 18’th IEEE Computer Security Foundation Workshop, 2005.

[2]Krohn M, Yip A, Brodsky M, Cliffer N, Kaashoek M F, Kohler E, and Morris R. Information Flow Control for Standard OS Abstractions. In: SOSP’07, 2007.

[3]Roy I, Porter D E, Bond M D, McKinley K S, and Witchel E. Laminar: Practical Fine-Grained Decentralized Information Flow Control. In: PLDI’09, 2009. 

[4]Zeldovich N, Boyd-Wickizer S, and Mazieres D. Securing Distributed Systems with Information Flow Control. In: 7’th Symposium on Operating System Design and Imoplementation, 2006.

[5]Chou S –C and Huang C –H. An Extended XACML Model to Ensure Secure Information Access for Web Services. Journal of Systems and Software, 2010, 83(1): 77-84.

[6]Chou S –C. Dynamically Preventing Information Leakage for Web Services using Lattice. In: 5’th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), 2010.

[7]She W, Yen I -L, Thuraisingham B, and Bertino E. The SCIFC Model for Information Flow Control in Web Service Composition. In: 2009 IEEE International Conference on Web Services, 2009.

[8]She W, Yen I -L, Thuraisingham B, and Bertino E. Effective and Efficient Implementation of an Information Flow Control Protocol for Service Composition. In: IEEE International Conference on Service-Oriented Computing and Applications, 2009.

[9]Harrison M H, Ruzzo W L, and Ullman J D. Protection in Operating Systems. Communications of the ACM, 1976, 19(8): 461-471.

[10]Olivier M S, van de Riet R P, and Gudes E. Specifying Application-level Security in Workflow Systems. In: 9’th International Workshop on Database and Expert Systems Applications, 1998, 346-351.

[11]Thomas R K and Sandhu R S. Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. In: IFIP WG11.3 Workshop on Database Security, 1997.

[12]Myers A and Liskov B. Complete, Safe Information Flow with Decentralized Labels. In: 14’th IEEE Symp. Security and Privacy, 1998, 186-197.

[13]Available on http://en.wikipedia.org/wiki/Discretionary_access_control

[14]Bell D E and LaPadula L J. Secure Computer Systems: Unified Exposition and Multics Interpretation. Available on http://csrc.nist.gov/publications/history/bell76.pdf

[15]Denning D E. A Lattice Model of Secure Information Flow. Comm. ACM, 1976, 19(5): 236-243.

[16]Denning D E and Denning P J. Certification of Program for Secure Information Flow. Comm. ACM, 1977, 20(7): 504-513.

[17]Brewer D F C, and Nash M J. The Chinese Wall Access control policy. In: Proc. 5’th IEEE Symp. Security and Privacy, 1989, 206-214.

[18]Sandhu R S. Lattice-Based Access Control Models. IEEE Computer, 1993, 26(11): 9-19.

[19]Samarati P, Bertino E, Ciampichetti A, and Jajodia S. Information Flow Control in Object-Oriented Systems. IEEE Trans. Knowledge Data Eng, 1997, 9(4): 524-538.

[20]Bertino E, Sabrina de Capitani di Vimercati, Ferrari E, and P. Samarati P. Exception-based Information Flow Control in Object-Oriented Systems. ACM Trans. Information System Security, 1998, 1(1): 26-65.

[21]Ferrari E, Samarati P, Bertino E, and Jajodia S. Providing Flexibility in Information flow control for Object-Oriented Systems. In: 13’th IEEE Symp. Security and Privacy, 1997, 130-140.

[22]Maamir A and Fellah A. Adding Flexibility in Information Flow Control for Object-Oriented Systems Using Versions. International Journal of Software Engineering and Knowledge Engineering, 2003,. 13(3): 313-326.

[23]Yasuda M, Tachikawa T, and Takizawa M. Information Flow in a Purpose-Oriented Access Control Model. In: 1997 International Conf. Parallel and Distributed Systems, 1997. 244-249.

[24]Yasuda M, Tachikawa T, and Takizawa M. A Purpose-Oriented Access Control Model. In: 12’th International Conf. Information Networking, 1998, 168-173.

[25]Tachikawa T, Yasuda M, and Takizawa M. A Purposed-Oriented Access Control Model in Object-Based Systems. Trans. Information Processing Society of Japan, 1997, 38(11): 2362-2369.

[26]Varadharajan V and Black S. A Multilevel Security Model for a Distributed Object-Oriented System. In: 6’th IEEE Symp. Security and Privacy, 1990, 68-78.

[27]McIlroy M D and Reeds J A. Multilevel Security in the UNIX Tradition. Software - Practice and Experience, 1992, 22(8): 673-694.

[28]Myers A C and Liskov B. A Decentralized Model for Information Flow Control. In: 17’th ACM Symp. Operating Systems Principles, 1997, 129-142.

[29]Myers A C. JFlow: Practical Mostly-Static Information Flow Control. In: 26’th ACM Symp. Principles of Programming Language, 1999, 228-241.

[30]Myers A and Liskov B. Protecting Privacy using the Decentralized Label Model. ACM Trans. Software Eng. Methodology, 2000, 9(4): 410-442. 

[31]Zhang C N and Yang C. An Object-Oriented RBAC model for Distributed System. In: Working IEEE/IFIP Conference on Software Architecture, 2001, 24-32.

[32]Ferraiolo D F, Sandhu S, Gavrila S, Kuhn D R, and Chandramouli R. Proposed NIST Standard for Role-Based Access Control. ACM Trans. Information and System Security. 2001, 4(3): 224-274.

[33]Sandhu R S, Coyne E J, Feinstein H L, and Youman C E. Role-Based Access Control Models. IEEE Computer, 1996, 29(2): 38-47.

[34]Nyanchama M and Osborn S. Modeling Mandatory Access Control in Role-Based Security Systems. Database Security IX: Status and Prospects, 1995, 129-144.

[35]Osborn S. Mandatory Access Control and Role-Based Access Control Revisited. In: Proc. Second ACM Workshop on Role-Based Access Control, 1997, 31-40.

[36]Osborn S, Sandhu R, and Munawer Q. Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Trans. Info. Sys. Security, 2000, 3(2): 85-106.

[37]Sandhu R. Role Hierarchies and Constraints for Lattice-Based Access Controls. In: Fourth European Symposium on Research in Computer Security, 1996, 65-79.

[38]Izaki K, Tanaka K, and Takizawa M. Information Flow Control in Role-Based Model for Distributed Objects. In: 8’th International Conf. Parallel and Distributed Systems, 2001, 363-370.

[39]Chou S -C. Embedding Role-Based Access Control Model in Object-Oriented Systems to Protect Privacy. Journal of Systems and Software, 2004, 71(1-2): 143-161.

[40]A. Maamir A, A. Fellah A, and A. Salem A, Controlling Flow in Object-oriented Systems. Journal of Information Assurance and Security, 2008, 2(2): 140-146.

[41]Chou S. –C and Chang C –Y. An Information Flow Control Model for C Applications Based on Access Control Lists. Journal of Systems and Software, 2005, 78(1): 84-100.

[42]Chou S. –C and Chen Y. –C. Managing Role Relationships in an Information Flow Control Model. Journal of Systems and Software, 2006, 79(4): 507-522.

[43]Chou S. –C. Providing Flexible Access Control to an Information Flow Control Model. Journal of Systems and Software, 2004, 73(3): 425-439.

[44]Chou S -C, Liu A -F, and Wu C -J, Preventing Information Leakage within Workflows That Execute among Competing Organizations. Journal of Systems and Software, 2005, 75(1-2): 109-123.