Security policies are naturally dynamic. Reflecting this, there has been a growing interest in studying information-flow properties which change during program execution, including concepts such as declassification, revocation, and role-change. A static verification of a dynamic information flow policy, from a semantic perspective, should only need to concern itself with two things: 1) the dependencies between data in a program, and 2) whether those dependencies are consistent with the intended flow policies as they change over time. In this paper we provide a formal ground for this intuition. We present a straightforward extension to the principal flow-sensitive type system introduced by Hunt and Sands (POPL '06, ESOP '11) to infer both end-to-end dependencies and dependencies at intermediate points in a program. This allows typings to be applied to verification of both static and dynamic policies. Our extension preserves the principal type system's distinguishing feature, that type inference is independent of the policy to be enforced: a single, generic dependency analysis (typing) can be used to verify many different dynamic policies of a given program, thus achieving a clean separation between (1) and (2). We also make contributions to the foundations of dynamic information flow. Arguably, the most compelling semantic definitions for dynamic security conditions in the literature are phrased in the so-called knowledge-based style. We contribute a new definition of knowledge-based termination insensitive security for dynamic policies. We show that the new definition avoids anomalies of previous definitions and enjoys a simple and useful characterisation as a two-run style property.
翻译:安保政策自然是动态的。 反映这一点,人们越来越有兴趣研究在方案执行期间变化的信息流属性,包括解密、撤销和角色变化等概念。从语义角度对动态信息流政策进行静态核查,只需要关注两件事:(1) 一个方案的数据之间的依赖性;(2) 这些依赖性是否与预期流动政策随时间变化而变化相一致。在本文件中,我们为这一直觉提供了一个正式的基础。我们直截了当地扩展了亨特和桑兹(POPL '06,ESOP'11)引入的主要流动敏感型系统,以推断在程序中间点的端到端依赖性和依赖性。这允许对动态信息流政策进行输入,用于核查静态和动态政策。我们的扩展保留了主要类型系统的区别特征,即这种推论独立于所要执行的政策:一个单一的通用依赖性分析(调法)可用于核查一个特定程序的许多不同的动态型政策,从而在(1)和(2)个中间实现干净的区分。 我们还将一个动态型的动态定义用于一个动态定义中的动态定义。 我们为一个动态的动态定义提供了一种动态定义,即动态定义,即动态定义是动态的动态定义。 动态定义,我们为动态的动态定义为动态的动态的动态定义为动态的动态定义提供了一种动态结构。
相关内容
- Today (iOS and OS X): widgets for the Today view of Notification Center
- Share (iOS and OS X): post content to web services or share content with others
- Actions (iOS and OS X): app extensions to view or manipulate inside another app
- Photo Editing (iOS): edit a photo or video in Apple's Photos app with extensions from a third-party apps
- Finder Sync (OS X): remote file storage in the Finder with support for Finder content annotation
- Storage Provider (iOS): an interface between files inside an app and other apps on a user's device
- Custom Keyboard (iOS): system-wide alternative keyboards
Source: iOS 8 Extensions: Apple’s Plan for a Powerful App Ecosystem
微信扫码咨询专知VIP会员