Inference of Expressive Declassification Policies Jeff Vaughan Stephen Chong IEEE Security and Privacy May 23, 2011 @output "out" @output "out" @output "out" @output "out" @input "authCheckOk" @input "secret" @input "secret" @input "secret" @input "secret" class Client { return e; return true; throw new IllegalArgumentException(); } } } public static String fakeReadingArgs(int i) } if(i==0){ throws java.util.NoSuchElementException { } if (r == MOLE) { return this.next; if(i<42) { return null; return true; } return "bork bork"; } } return next.removePersistent(i−1); } else { } throw new java.util.NoSuchElementException(); public Role readerOf(String key) { return (s == r); } if (lookup(key) != null) { } public void set(int i, Object o) { } return lookup(key).getReader(); if(i < 0){ } } throw new IllegalArgumentException(); public static void main(String args[]){ return null; import java.util.Iterator; } String uname; } import java.util.NoSuchElementException; if(i==0){ String pwd; this.contents = o; String key; public String secretOf(String key) { public class SimpleArrayList implements Iterable { } else { try{ if (lookup(key) != null) { this.next.set(i−1, o); uname = fakeReadingArgs(0); return lookup(key).getData(); List contents; } pwd = fakeReadingArgs(1); } } key = fakeReadingArgs(2); return null; SimpleArrayList() {this.contents = new Nil();} } } public Object head() throws NoSuchElementException { catch (Exception e){ } int size() { return contents.size(); } return this.contents; System.out.println( class DbEntry{ boolean isEmpty() {return contents.isEmpty(); } } private String key; void clear() { this.contents = new Nil(); } "Useage \"java Client <uname> <pwd> <key>\"" ); private Role reader; public List tail() throws NoSuchElementException { return; private String data; private static abstract class List { return this.next; } private List() { } } public DbEntry(String key, Role reader, String data){ abstract int size(); } Login.init(); this.key = key; abstract boolean isEmpty(); Role r = Login.doLogin(uname, pwd); this.reader = reader; public abstract Object get(int i); //Zero−based lookup this.data = data; public abstract List removePersistent(int i); public Object get(int i) { if (r == null){ } public abstract void set(int i, Object o); return this.contents.get(i); "Login Failed"System.out.println( ); public abstract Object head() throws NoSuchElementException; } return; public String getKey(){ return this.key; } public abstract List tail() throws NoSuchElementException; } public Role getReader(){ return this.reader; } } public void add(Object card) { public String getData(){ return this.data; } this.contents = new Cons(card, this.contents); Database db = new Database(); } } class Login { private static class Nil extends List { if (authorizedToRead(r, key, db)) { private Nil(){}; public void remove(int i) { db.secretOf(key));System.out.println( private static class PwdTableEntry{ public int size() { return 0; } this.contents = this.contents.removePersistent(i); } else { String uname; public boolean isEmpty() { return true; } } String pwd; public Object get(int i) { throw new IllegalArgumentException(); } Role role; public List removePersistent(int i) { public void set(int i, Object o) { private PwdTableEntry(String uname, String pwd, Role role){ throw new IllegalArgumentException(); } this.contents.set(i, o); this.uname=uname; } "Access not authorized");System.out.println( this.pwd=pwd; public void set(int i, Object o) { throw new IllegalArgumentException(); } this.role=role; } public void addAll(SimpleArrayList lst) { } } Iterator i = lst.iterator(); } public Object head() throws NoSuchElementException { while(i.hasNext()){ private static boolean authorizedToRead(Role r, String key, Database db){ throw new NoSuchElementException(); this.add(i.next()); Role required = db.readerOf(key); private static SimpleArrayList pwds; } } ) (Role.lteq(required,return r)); ( } } public static void init() { public List tail() throws NoSuchElementException { } pwds = new SimpleArrayList(); throw new NoSuchElementException(); private class SimpleArrayListIterator implements Iterator{ class Database { pwds.add(new PwdTableEntry("Bond", "007", Role.SUPER_SPY)); } pwds.add(new PwdTableEntry("M", "0", Role.SPY)); } private List lst; private SimpleArrayList data; pwds.add(new PwdTableEntry("Q", "1337", Role.TECH_GUY )); } private static class Cons extends List{ public SimpleArrayListIterator(SimpleArrayList simpleArrayList) { public Database() { private Object contents; lst = simpleArrayList.contents; data = new SimpleArrayList(); public static Role doLogin (String userName, String pwd){ private List next; } data.add(new DbEntry("A", Role.SPY, "AA"))); ( for(int i=0; i < pwds.size(); i++){ private Cons(Object c, List n){ //slow but remove is a pain with a persistent data structure if (pwds.get(i) instanceof PwdTableEntry) { if(n==null){ public boolean hasNext() { PwdTableEntry e = (PwdTableEntry) pwds.get(i); throw new IllegalArgumentException(); return (!lst.isEmpty()); if( e.uname.equals(userName) && e.pwd.equals(pwd) ){ } } return e.role; } this.contents = c; public Object next() { data.add(new DbEntry("B", Role.SUPER_SPY, } this.next = n; if(lst instanceof Cons){ "BB"))); ( } } Cons c = (Cons) lst; return null; lst = c.tail(); } public int size() { return c.head(); return 1+next.size(); } } } class Role { throw new NoSuchElementException(); data.add(new DbEntry("C", Role.MOLE, public Object get(int i) { } "CC"))); ( public static final Role SPY = new Role("spy"); if(i < 0){ public static final Role SUPER_SPY = new Role("007"); throw new IllegalArgumentException(); public void remove(){ public static final Role MOLE = new Role("mole"); } throw new UnsupportedOperationException(); public static final Role TECH_GUY = new Role("tech"); if(i==0){ } return this.contents; } data.add(new DbEntry("D", Role.SPY, private final String id; } "DD"))); ( private Role(String id){ return next.get(i−1); public Iterator iterator() { } this.id = id; } return new SimpleArrayListIterator(this); } } //returns null if no such entry } private DbEntry lookup(String key) { public static boolean lteq(Role r, Role s){ public boolean isEmpty() { //I think we want a termination annotation here if (r == null || s == null){ return false; for(int i=0; i < data.size() ; i++){ return false; } if(data.get(i) instanceof DbEntry) { } DbEntry e = (DbEntry) data.get(i); public List removePersistent(int i) { if(e.getKey().equals(key)){ if (s == SUPER_SPY) { if(i < 0){ 2/24 @output "out" @output "out" @output "out" @output "out" @input "authCheckOk" @input "secret" @input "secret" @input "secret" @input "secret" class Client { return e; return true; throw new IllegalArgumentException(); } } } public static String fakeReadingArgs(int i) } if(i==0){ throws java.util.NoSuchElementException { } if (r == MOLE) { return this.next; if(i<42) { return null; return true; } return "bork bork"; } } return next.removePersistent(i−1); } else { } throw new java.util.NoSuchElementException(); public Role readerOf(String key) { return (s == r); } if (lookup(key) != null) { } public void set(int i, Object o) { } return lookup(key).getReader(); if(i < 0){ } } throw new IllegalArgumentException(); public static void main(String args[]){ return null; import java.util.Iterator; } String uname; } import java.util.NoSuchElementException; if(i==0){ String pwd; this.contents = o; String key; public String secretOf(String key) { public class SimpleArrayList implements Iterable { } else { try{ if (lookup(key) != null) { this.next.set(i−1, o); uname = fakeReadingArgs(0); return lookup(key).getData(); Inferred policyList contents; } pwd = fakeReadingArgs(1); } } key = fakeReadingArgs(2); return null; SimpleArrayList() {this.contents = new Nil();} } } public Object head() throws NoSuchElementException { catch (Exception e){ } int size() { return contents.size(); } return this.contents; System.out.println( class DbEntry{ boolean isEmpty() {return contents.isEmpty(); } } private String key; 7! void clear() { this.contents = new Nil(); } "Useage \"java Client <uname> <pwd> <key>\"" ); private Role reader; out if (authCheckOk[0]) public List tail() throws NoSuchElementException { return; private String data; private static abstract class List { return this.next; } private List() { } } public DbEntry(String key, Role reader, String data){ abstract int size(); } Login.init(); this.key = key; thenabstract boolean Reveal isEmpty(); (secret[0+], Role r = Login.doLogin(uname, pwd); this.reader = reader; public abstract Object get(int i); //Zero−based lookup this.data = data; public abstract List removePersistent(int i); public Object get(int i) { if (r == null){ } public abstract void set(int i, Object o); return this.contents.get(i); "Login Failed"System.out.println( ); public abstract Object head() throws NoSuchElementException; } return; public String getKey(){ return this.key; } public abstract List tail() throws NoSuchElementException;authCheckOk[1+]) } public Role getReader(){ return this.reader; } } public void add(Object card) { public String getData(){ return this.data; } this.contents = new Cons(card, this.contents); Database db = new Database(); } } class Login { private static class Nil extends List { if (authorizedToRead(r, key, db)) { private Nil(){}; public void remove(int i) { db.secretOf(key));System.out.println( private static class PwdTableEntry{ public int size() { return 0; } this.contents = this.contents.removePersistent(i); } else { String uname; public boolean isEmpty() { return true; } } String