Gradual Release: Unifying Declassification, Encryption and Key Release Policies

Gradual Release: Unifying Declassification, Encryption and Key Release Policies

Gradual Release: Unifying Declassification, Encryption and Key Release Policies Aslan Askarov Andrei Sabelfeld Department of Computer Science and Engineering Chalmers University of Technology 412 96 Göteborg, Sweden Abstract tion release, exposing the other aspects for possible attacks. It is striking that these approaches fall into two mostly sep- Information security has a challenge to address: en- arate categories: revelation-based (as in information pur- abling information-flow controls with expressive informa- chase, aggregate computation, moves in a game, etc.) and tion release (or declassification) policies. Existing ap- encryption-based declassification (as in sending encrypted proaches tend to address some aspects of information re- secrets over an untrusted network, storing passwords, etc.). lease, exposing the other aspects for possible attacks. It It is essential that declassification policies support a combi- is striking that these approaches fall into two mostly sep- nation of these categories: for example, a possibility to re- arate categories: revelation-based (as in information pur- lease the result of encryption should not be abused to release chase, aggregate computation, moves in a game, etc.) and cleartext through the same declassification mechanism. encryption-based declassification (as in sending encrypted This paper introduces gradual release, a policy that uni- secrets over an untrusted network, storing passwords, etc.). fies declassification, encryption, and key release policies. This paper introduces gradual release, a policy that uni- As we explain below, the latter is not only a useful fea- fies declassification, encryption, and key release policies. ture, but also a vital component for connecting revelation- We model an attacker’s knowledge by the sets of possible se- based and encryption-based declassification. We model an cret inputs as functions of publicly observable outputs. The attacker’s knowledge by the sets of possible secret inputs essence of gradual release is that this knowledge must re- as functions of publicly observable outputs. The essence of main constant between releases. Gradual release turns out gradual release is that this knowledge must remain constant to be a powerful foundation for release policies, which we between releases. Gradual release turns out to be a powerful demonstrate by formally connecting revelation-based and foundation for release policies, which we demonstrate by encryption-based declassification. Furthermore, we show formally connecting revelation-based and encryption-based that gradual release can be provably enforced by security declassification. types and effects. When it comes to handling encryption, there is a demand for expressing rich policies beyond declassification at the point of encryption. To this end, a desirable ingredient in 1 Introduction declassification policies is reasoning about released keys. In bit commitment, premature revelation of the bit should Information security [32] has a challenge to address: be prevented by not releasing the secret key until neces- enabling information flow controls with expressive infor- sary. In a media distribution scenario—when large media mation release (or declassification) policies [32, 42, 34]. In is distributed in encrypted form, and the key is supplied on a scenario of systems that operate on data with different the date of media release—early key release should be pre- sensitivity levels, the goal is to provide security assurance vented. In addition, key release policies are important for via restricting the information flow within the system. mental poker [35, 9, 4] (for playing poker without a trusted However, allowing no flow whatsoever from secret (high) third party), where the participants reveal their keys for each inputs to public (low) outputs (as prescribed by nonin- other at the end of the game, in order to prove that they were terference [16]) is too restrictive because many systems not cheating during the game. In this protocol too, it should deliberately declassify information from high to low. not be possible to release secret keys prematurely or encrypt Characterizing and enforcing declassification policies is with a key that has already been released. the focus of an active area of research [34]. However, exist- Gradual release allows for reasoning about newly gener- ing approaches tend to address selected aspects of informa- ated and released keys. In fact, this combination turns out to In Proc. IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, May 2007. © IEEE be crucial for connecting revelation-based and encryption- Low-equivalence Memories are mappings of variable based declassification. We show that gradual release for names to values. Two memories M1, M2 are low-equivalent revelation-based declassification can be represented by a with respect to a security environment ¡ if 8x : ¡(x) v rewardingly simple encryption-based declassification: de- L =) M1(x) = M2(x). This is denoted as M1 »¡ M2. classifying an expression corresponds to encrypting the ex- pression with a fresh key and immediately releasing the key. Semantics and low events As is standard, expressions As a result, gradual release is, to the best of our knowl- evaluate according to rules of the form hM; ei + n, where edge, the first framework to unify revelation-based and hM; ei is a configuration consisting of the memory M and encryption-based declassification policies. Furthermore, we the expression to evaluate e, and n is the resulting value. show that gradual release can be provably enforced by se- Semantics for commands are expressed by small-step curity types and effects. transitions between configurations. These transitions have Structure-wise, Section 2 introduces gradual release, il- either the form hM; ci ¡!® hM 0; c0i, which corresponds to a lustrates its properties, and shows how to enforce it by a step from configuration hM; ci to configuration hM 0; c0i, or security type system for a simple declassification-enabled # the form hM; ci ¡! M 0, which corresponds to termination language. Section 3 enriches the language with key gen- in the memory M 0. eration, encryption, and key release primitives. Section 4 A transition is low if it is due to an assignment to a applies gradual release to the enriched language. Section 5 low variable or termination. The event ® 2 f²; `g records presents a type and effect system that enforces gradual re- whether the transition is low (reflected by the label `, where lease for the enriched language. Section 6 provides useful ` is either the projection M 0 of the low part of M 0 or a ter- examples of typed programs. Section 7 discusses related L mination event #) or otherwise (reflected by the empty label work, and Section 8 concludes. ~` ~` ²). We write hM; ci ¡!¤ hM 0; c0i (resp. hM; ci ¡!¤ M 0) when hM 0; c0i (resp. M 0) is reachable from hM; ci by a se- 2 Gradual release quence of small steps, where ~` represents the sequence of generated low events. We classify the termination event # Gradual release is a general notion, defined in terms of as low. If an event in a sequence is a termination event, then events (which are classified into low and high, with some no other events may be generated after it. of the low ones classified as release events). Of particu- A particular kind of low events are due to declassify lar interest are language-based instantiations of this model, commands. We refer to those events as release events. Re- where events are generated by program constructs. A direct lease events record the points of intentional information re- benefit of such instantiations is the possibility of enforc- lease by a command. The complete semantics of the lan- ing gradual release by static analysis. To be concrete (but guage is available in an accompanying technical report [5]. without loss of generality), we present gradual release for a simple imperative language with declassification. We show Knowledge We let the attacker observe the low projec- that gradual release is a conservative extension of noninter- tion M 0 of the initial memory M 0, and all intermediate ference and demonstrate how to provably enforce gradual L low events `1; : : : ; `n generated during a run of a command release by a security type system. c. Given these observations, the attacker may infer the set of initial memories that could possibly have led to these events. We refer to this set as the attacker’s knowledge about Language Figure 1 presents the syntax of the language, the initial memory. which contains expressions e and commands c. For sim- Semantically, the knowledge is a set of tuples, where plicity, we assume that variables are assigned one of the each tuple represents a possible initial memory. For exam- two security levels: L (low) or H (high), forming a simple ple, consider the program l := h + h and a sample run security lattice, where L @ H. These levels are recorded in 1 2 that yields a low event ` where `(l) = 10. The attacker’s the security environment ¡, a mapping from variable names knowledge in this case is all such memories that the sum of to security levels. The construct declassify(e) in an as- h and h is 10: signment is provided for declassifying the level of e to L. 1 2 h1 h2 ::: e ::= n j x j e op e f (1; 9;::: ) c ::= skip j x := e j c; c j if e then c else c (2; 8;::: ) j while e do c j x := declassify(e) (3; 7;::: ) (4; 6;::: ) Figure 1. Simple imperative language ::: g 2 Note that in our terminology knowledge corresponds to un- Noninterference We present a definition of noninterfer- certainty about the tuples in the knowledge set: any of the ence and demonstrate how to represent it in the knowledge- tuples is a possible input. The actual knowledge of the at- based setting. tacker is that tuples outside the knowledge set are not pos- sible inputs. Definition 1 (Noninterference). A command c satisfies non- `~1 As the computation progresses, the uncertainty might de- ¤ 0 interference if whenever M1 » M2, hM1; ci ¡! M1, crease because new observations might render some initial ¡ `~2 ¤ 0 ~ ~ 0 0 inputs impossible.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us