Real-world applications routinely make authorization decisions based on dynamic computation. Reasoning about dynamically computed authority is challenging. Integrity of the system might be compromised if attackers can improperly influence the authorizing computation. Confidentiality can also be compromised by authorization, since authorization decisions are often based on sensitive data such as membership lists and passwords. Previous formal models for authorization do not fully address the security implications of permitting trust relationships to change, which limits their ability to reason about authority that derives from dynamic computation. Our goal is an approach to constructing dynamic authorization mechanisms that do not violate confidentiality or integrity. The Flow-Limited Authorization Calculus (FLAC) is a simple, expressive model for reasoning about dynamic authorization as well as an information flow control language for securely implementing various authorization mechanisms. FLAC combines the insights of two previous models: it extends the Dependency Core Calculus with features made possible by the Flow-Limited Authorization Model. FLAC provides strong end-to-end information security guarantees even for programs that incorporate and implement rich dynamic authorization mechanisms. These guarantees include noninterference and robust declassification, which prevent attackers from influencing information disclosures in unauthorized ways. We prove these security properties formally for all FLAC programs and explore the expressiveness of FLAC with several examples.
翻译:真实世界应用程序通常根据动态计算法做出授权决定。根据动态计算权的理由具有挑战性。如果攻击者对授权计算有不当影响,系统的完整性可能受到损害。保密也可能因授权而受到损害,因为授权决定往往以成员名单和密码等敏感数据为基础。以前的正式授权模式没有完全解决允许信任关系改变的安全影响,这限制了他们根据动态计算法获得授权的能力。我们的目标是建立动态授权机制,不违反保密或完整性。流动限制授权计算法(FLAC)是一个简单明晰的动态授权推理模型,还有一个信息流通控制语言,用于安全地实施各种授权机制。 FLAC综合了前两种模式的见解:将依赖性核心计算法与流动有限授权模式带来的特征加以扩展。FLAC提供了强有力的端对端信息安全保障保证,即使对包含和实施丰富的动态授权机制的方案也是如此。这些保证包括不干预和稳健的解分类,防止攻击者以未经授权的方式影响信息披露。我们用FLAC系统的所有安全性实例正式探索这些安全特性。