Verification of Information Flow and Access Control Policies with Dependent Types

被引:38
|
作者
Nanevski, Aleksandar [1 ]
Banerjee, Anindya [1 ]
Garg, Deepak [2 ]
机构
[1] IMDEA Software Inst, Madrid, Spain
[2] Carnegie Mellon Univ, Pittsburgh, PA 15213 USA
来源
2011 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2011) | 2011年
关键词
Information Flow; Access Control; Type Theory;
D O I
10.1109/SP.2011.12
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.
引用
收藏
页码:165 / 179
页数:15
相关论文
共 50 条
  • [21] Resiliency Policies in Access Control
    Li, Ninghui
    Wang, Qihua
    Tripunitara, Mahesh
    ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY, 2009, 12 (04)
  • [22] Tuple-Based Access Control: a Provenance-Based Information Flow Control for Relational Data
    Thion, Romuald
    Lesueur, Francois
    Talbi, Meriam
    30TH ANNUAL ACM SYMPOSIUM ON APPLIED COMPUTING, VOLS I AND II, 2015, : 2165 - 2170
  • [23] Information-Flow-Based Access Control for Web Browsers
    Yoshihama, Sachiko
    Tateishi, Takaaki
    Tabuchi, Naoshi
    Matsumoto, Tsutomu
    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, 2009, E92D (05): : 836 - 850
  • [24] TOWARDS FORMAL SECURITY ANALYSIS OF DECENTRALIZED INFORMATION FLOW CONTROL POLICIES
    Yang, Zhi
    Yin, Lihua
    Jin, Shuyuan
    Duan, MiYi
    INTERNATIONAL JOURNAL OF INNOVATIVE COMPUTING INFORMATION AND CONTROL, 2012, 8 (11): : 7969 - 7981
  • [25] The hybrid model for web services security Access control and information flow control
    Kedjar, Saadia
    Tari, Abdelkamel
    2013 8TH INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS (ICITST), 2013, : 194 - +
  • [26] Multi-Tenant Access and Information Flow Control for SaaS
    Solanki, Nidhiben
    Zhu, Wei
    Yen, I-Ling
    Bastani, Farokh
    Rezvani, Elham
    2016 IEEE INTERNATIONAL CONFERENCE ON WEB SERVICES (ICWS), 2016, : 99 - 106
  • [27] Quantum Information-Flow Security: Noninterference and Access Control
    Ying, Mingsheng
    Feng, Yuan
    Yu, Nengkun
    2013 IEEE 26TH COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF), 2013, : 130 - 144
  • [28] Security Analysis of Administrative Role-Based Access Control Policies with Contextual Information
    Khai Kim Quoc Dinh
    Tuan Duc Tran
    Anh Truong
    FUTURE DATA AND SECURITY ENGINEERING, 2017, 10646 : 243 - 261
  • [29] A Model Checking Based Approach for Verification of Attribute-Based Access Control Policies in Cloud Infrastructures
    Kotenko, Igor
    Saenko, Igor
    Levshun, Dmitry
    PROCEEDINGS OF THE FOURTH INTERNATIONAL SCIENTIFIC CONFERENCE INTELLIGENT INFORMATION TECHNOLOGIES FOR INDUSTRY (IITI'19), 2020, 1156 : 165 - 175
  • [30] Testing Access Control and Obligation Policies
    Xu, Dianxiang
    Sanford, Michael
    Liu, Zhaoliang
    Emry, Mark
    Brockmueller, Brad
    Johnson, Spencer
    To, Michael
    2013 INTERNATIONAL CONFERENCE ON COMPUTING, NETWORKING AND COMMUNICATIONS (ICNC), 2013,
12345