计算机科学 ›› 2018, Vol. 45 ›› Issue (6A): 36-40.

• 综述研究 • 上一篇    下一篇

软件系统的可信降密述评

朱浩1,2,陈建平1   

  1. 南通大学计算机科学与技术学院 江苏 南通2260191
    南京航空航天大学计算机科学与技术学院 南京2100162
  • 出版日期:2018-06-20 发布日期:2018-08-03
  • 作者简介:朱 浩(1977-),男,博士,副教授,CCF会员,主要研究方向为软件安全,E-mail:searain@nuaa.edu.cn(通信作者);陈建平(1960-),男,教授,主要研究方向为数值计算与隐私保护。
  • 基金资助:
    江苏省博士后科研资助计划(1401022C),南通大学博士科研启动基金(14B22)资助

Review of Trust Declassification for Software System

ZHU Hao1,2,CHEN Jian-ping1   

  1. School of Computer Science and Technology,Nantong University,Nantong,Jiangsu 226019,China1
    School of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 210016,China2
  • Online:2018-06-20 Published:2018-08-03

摘要: 无干扰模型是信息流控制中的基础性安全模型,能确保敏感信息的零泄露,但其安全条件的限制性过强。软件系统由于功能的需要不可避免地需要违反无干扰模型,释放合适的信息。为了防止攻击者利用信息释放的通道获取超额的信息,需要对释放的通道进行控制,建立信息可信降密的策略和实施机制。基于不同维度对现有的降密策略进行归类,大致归并为降密的内容、主体、地点和时间维度;并对现有降密策略的实施机制进行分类,大致可分为静态实施、动态实施和安全多次执行;对这些机制的特点和不足之处进行比较,并探讨了后续研究面临的挑战,展望了未来的研究方向。

关键词: 机密性, 可信降密, 无干扰, 信息流控制

Abstract: Non-interference model is the baseline security model of information flow control.It ensures zero leakage of secret information,but its restrictiveness of security condition is too strong.Software system inevitably violates non-interference model and releases proper information for its requirement of function.In order to prevent attacker obtain extra information from the channel of information release,the channel should be under control and trusted declassification policy and enforcement mechanisms should be established.Existing declassification policies are classified into WHAT,WHO,WHERE and WHEN dimensions,and existing enforcement mechanisms are classified into static enforcement,dynamic enforcement and secure multi-execution.The characteristics and deficiencies of these mechanisms were compared,the challenge of following study was discussed,and the direction of future study was out-looked.

Key words: Confidentiality, Information flow control, Non-interference, Trusted declassification

中图分类号: 

  • TP311
[1]SABELFELD A,SANDS D.Declassification:dimensions and principles[J].Journal of Computer Security,2009,7(5):517-548.
[2]姜励.基于程序设计语言的安全降密模型研究[D].杭州:浙江大学,2008.
[3]沈昌祥,张大伟,刘吉强,等.可信3.0战略:可信计算的革命性演变[J].中国工程科学,2016,18(6):53-57.
[4]沈国华,黄志球,谢冰,等.软件可信评估研究综述:标准、模型与工具[J].软件学报,2016,27(4):955-968.
[5]ZHANG L,ZHENGY,KANTOA R.A Review of Homomorphic Encryption and its Applications[C]//Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications.Xi’an,ICST,2016:97-106.
[6]VAN DIJK M,JUELS A.On the impossibility of cryptography alone for privacy-preserving cloud computing[C]∥5th USENIX Conference on Hot topics in security (HotSec’10).Washington,USENIX Association,2010:1-8.
[7]SABELFELD A,MYERS A C.Language-based information flow security[J].Selected Areas in Communications,2006,21(1):5-19.
[8]ALAM MI,HALDER,R.Data-Centric Refinement of Information Flow Analysis of Database Applications[C]∥Proceedings of the Third International Symposium on Security in Computing and Communications.Kochi,Springer International Publishing,2015:506-518.
[9]GOGUEN J A,MESEGUER J.Security policies and security models[C]∥Proceedings of IEEE Symposium on Security and Privacy.Oakland:IEEE,1982:11-20.
[10]COHEN E.Information transmission in computational systems[J].ACM SIGOPS Operating Systems Review,1977,11(5):133-139.
[11]SABELFELD A,SANDS D.A per model of secure information flow in sequential programs[J].Higher-order and Symbolic Computation,2001,14(1):59-91.
[12]SABELFELD A,MYERS A.A Model for Delimited Information Release[M]∥Software Security-Theories and Systems.Springer Berlin Heidelberg,2004:174-191.
[13]LUX A,MANTEL H.Declassification with explicit reference points[C]∥14th European Conference on Research in Compu-ter Security.Saint-Malo:Springer-Verlag,2009:21-23.
[14]ADETOYE A,BADII A.A Policy Model for Secure Information Flow[M]∥Foundations and Applications of Security Analysis.Springer-Verlay,2009:1-17.
[15]MICINSKI K,FETTER-DEGGES J,JEON J,et al.Checking Interaction-Based Declassification Policies for Android Using Symbolic Execution[C]∥Proceedings of the 20th European Symposium on Research in Computer Security.Vienna:Springer International Publishing,2015:520-538.
[16]GREINER S,GRAHL D.Non-interference with What-Declassification in Component-Based Systems[C]∥Proceedings of the 2016 IEEE 29th Computer Security Foundations Symposium (CSF).Lisbon:IEEE,2016:253-267.
[17]HAIGH J T,KEMMERER RA,MCHUGH J,et al.An experience using two covert channel analysis techniques on a real system design [C]∥1986 IEEE Symposium on Security and Privacy.IEEE,1987:14.
[18]RUSHBY J.Noninterference,transitivity,and channel-control security policies:CSL-92-02[R].Menlo Park:SRI International Computer Science Laboratory,1992.
[19]BALDAN P,BEGGIATO A.Multilevel Transitive and Intransitive Non-interference,Causally[C]∥Proceedings of the 18th IFIP WG 6.1 International Conference.Greece:Springer International Publishing,2016:1-17.
[20]EGGERT S,VAN DER MEYDEN R.Dynamic intransitive Noninterference revisited[M]∥Formal Aspects of Computing,2017,29(4):1-34.
[21]MANTEL H,SANDS D.Controlled declassification based on intransitive noninterference [M]∥Programming Languages and Systems.Springer Berlin Heidelberg,2004:129-145.
[22]HICKS B,KING D,MCDANIEL P,et al.Information release:high-level policy for a security-typed language [C]∥Procee-dings of the 2006 Workshop on Programming Languages and Analysis for Security.Ottawa:ACM Computer Society Press,2006:65-74.
[23]ASKAROV A,SABELFELD A.Gradual Release:Unifying Declassification,Encryption and Key Release Policies[C]∥Proceedings of IEEE Symposium on Security and Privacy.Berkeley,CA:IEEE Computer Society Press,2007:207-221.
[24]BROBERG N,SANDS D.Flow locks:Towards a core calculus for dynamic flow policies[M]∥Programming Languages and Systems.Springer Berlin Heidelber,2006:180-196.
[25]MYERS A C,LISKOV B.Protecting privacy using the decentralized label model [J].ACM Transactions on Software Engineering and Methodology (TOSEM),2000,9(4):410-442.
[26]KOZYRI E,ARDEN O,AC MYERS.JRIF:Reactive Information Flow Control for Java[EB/OL].(2016-02-12)[2017-8-21].https://ecommons.cornell.edu/handle/1813/41194.
[27]ZDANCEWIC S,MYERS A C.Robust declassification[C]∥Proceedings of IEEE Computer Security Foundations Workshop.Cape Breton:IEEEComputer Society Press,2001:15-23.
[28]MYERS A C,SABELFELD A,ZDANCEWIC S.Enforcing robust declassification and qualified robustness[J].Journal of Computer Security,2006,14(2):157-196.
[29]ASKAROV A,MYERS A.A semantic framework for declassification and endorsement[C]∥European Conference on Programming Languages and Systems.Springer-Verlag,2010:64-84.
[30]ASKAROV A,MYERS A.Attacker control and impact for confidentiality and integrity[J].Logical Methods in Computer Science,2011,7(3):563-572.
[31]VOLPANO D,SMITH G.Verifying secrets and relative secrecy [C]∥Proceedings of 27th ACM SIGPLAN-SIGACTSympo-sium on Principles of Programming Languages.Boston,MA:ACM Computer Society Press,2000:268-276.
[32]VOLPANO D.Secure introduction of one-way functions[C]∥Proceedings of 13th IEEE Computer Security Foundations Workshop.Cambridge:IEEE Computer Society Press,2000:246-254.
[33]CHONG S,MYERS A C.Security policies for downgrading [C]∥ 11th ACM Conference on Computer and Communications Securi-ty.Washington DC:ACM Computer Society Press,2004:198-209.
[34]YAO J,TANG Y.Security Downgrading Policies for Competi- tive Bidding System[M]∥Software Engineering and Knowledge Engineering:Theory and Practice.Springer Berlin Heidelberg,2012:587-95.
[35]吴泽智,陈性元,杨智,等.信息流控制研究进展[J].软件学报,2017,28(1):135-159.
[36]孙聪,唐礼勇,陈钟.基于下推系统可达性分析的程序机密消去机制[J].软件学报,2012,23(8):2149-2162.
[37]孙聪,唐礼勇,陈钟.基于下推系统可达性分析的输出信道信息流检测[J].计算机科学,2011,38(7):103-107.
[38]MICINSKI K,FETTER-DEGGES J,JEON J,et al.Checking Interaction-Based Declassification Policies for Android Using Symbolic Execution[C]∥Proceedings of 20th European Symposium on Research in Computer Security.Vienna:springer International Publishing,2015:520-538.
[39]SABELFELD A,RUSSO A.From dynamic to static and back:Riding the roller coaster of information-flow control research [M]∥Perspectives of Systems Informatics.Springer Berlin Heidelberg,2010,5947:352-365.
[40]SHROFF P,SMITH S,THOBER M.Dynamic Dependency Monitoring to Secure Information Flow[C]∥Proceedings of the 20th IEEE Symposiumon Computer Security Foundations.Veni-ce:IEEEComputer Society Press,2007:203-217.
[41]RUSSO A,SABELFELD A.Securing timeout instructions in web applications[C]∥Proceedings of the 22nd IEEE Sympo-sium on ComputerSecurity Foundations.Port Jefferson:IEEE Computer Society Press,2009:92-106.
[42]金丽,朱浩.基于自动机监控的二维降密策略[J].计算机科学,2015,42(7):194-199.
[43]ASKAROV A,SABELFELD A.Tight enforcement of information-release policies for dynamic languages[C]∥Proceedings of the 25nd IEEE Symposium on ComputerSecurity Foundations.Port Jefferson:IEEE Computer Society Press,2012:43-59.
[44]SRIDHAR M,HAMLEN K W.Flexible in-lined reference monitor certification:challenges and future directions[C]∥Procee-dings of the 5th ACM Workshop on Programming Languages Meets Program Verification.Austin,Texas:ACM,2011:55-60.
[45]朱浩,陈建平,金丽.二维降密策略的内联引用监控方法[J].计算机科学,2016,43(11A):352-354.
[46]BOLO I,GARG D.Asymmetric Secure Multi-execution with Declassification[C]∥Proceedings of the 5th International Conference on Principles of Security and Trust.Netherlands:Springer-Verlag New York,2016:24-45.
[47]VANHOEF M,GROEF W D,DEVRIESE D,et al.Stateful Declassification Policies for Event-Driven Programs[C]∥Procee-dings of the 2014 IEEE 27th Computer Security Foundations Symposium.Vienna:IEEE Computer Society,2014:293-307.
[48]ASKAROV A,SABELFELD A.Localized delimited release: Combining the what andwhere dimensions of information release[C]∥Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security.San Diego:ACM,2007:53-60.
[49]MAGAZINIUS J,ASKAROV A,SABELFELD A.Decentra- lized delimited release[C]∥Proceedings of the 9th Asian Conference on Programming Languages and Systems.Kenting,Taiwan:Springer-Verlag,2011:220-237.
[50]姜励,陈健,平玲娣,等.多线程程序的信息抹除和降密安全策略[J].浙江大学学报(工学版),2010,44(5):854-862.
[51]金丽,朱浩.多线程环境中的二维降密策略[J].计算机科学,2015,42(12):243-246,282.
[52]VAN DER MEYDEN R.Architectural refinement and notions of intransitive noninterference [J].Formal Aspects of Computing,2012,24(4):769-792.
[1] 王雪健, 赵国磊, 常朝稳, 王瑞云.
信息流格模型的非法流分析
Illegal Flow Analysis for Lattice Model of Information Flow
计算机科学, 2019, 46(2): 139-144. https://doi.org/10.11896/j.issn.1002-137X.2019.02.022
[2] 杜远志,杜学绘,杨智.
基于混合流策略的按需分布式云信息流控制模型
Mixed Flow Policy Based On-demand Distributed Cloud Information Flow Control Model
计算机科学, 2017, 44(10): 150-158. https://doi.org/10.11896/j.issn.1002-137X.2017.10.029
[3] 魏振宇,芦翔,史庭俊.
基于PKI体系的跨域密钥协商协议
Cross-domain PKI-based Key Agreement Protocol
计算机科学, 2017, 44(1): 155-158. https://doi.org/10.11896/j.issn.1002-137X.2017.01.030
[4] 朱浩,陈建平,金丽.
二维降密策略的内联引用监控方法
In-lined Reference Monitor Method of Two-dimension Information Release Policy
计算机科学, 2016, 43(Z11): 352-354. https://doi.org/10.11896/j.issn.1002-137X.2016.11A.081
[5] 陈亮,曾荣仁,李峰,杨伟铭.
基于无干扰理论的信任链传递模型
Trust Chain Transfer Model Based on Non-interference Theory
计算机科学, 2016, 43(10): 141-144. https://doi.org/10.11896/j.issn.1002-137X.2016.10.026
[6] 金 丽,朱 浩.
基于自动机监控的二维降密策略
Declassification Policy Based on Automaton Monitoring
计算机科学, 2015, 42(7): 194-199. https://doi.org/10.11896/j.issn.1002-137X.2015.07.043
[7] 邵婧,陈左宁,殷红武,许国春.
面向PaaS云的信息流控制框架设计与实现
Design and Implementation of Information Flow Control Framework for PaaS
计算机科学, 2015, 42(12): 257-262.
[8] 金丽,朱 浩.
多线程环境中的二维降密策略
Two-dimension Declassification Policy in Multithreaded Environments
计算机科学, 2015, 42(12): 243-246.
[9] 冯贵兰,谭良.
基于信任值的云存储数据确定性删除方案
Data Assured Deletion Scheme Based on Trust Value for Cloud Storage
计算机科学, 2014, 41(6): 108-112. https://doi.org/10.11896/j.issn.1002-137X.2014.06.022
[10] 陈曙,叶俊民,张帆.
一种基于污点数据传播和无干扰理论的软件行为可信性分析模型
Taint Trace with Noninterference Based Approach for Software Trust Analysis
计算机科学, 2013, 40(5): 184-188.
[11] 朱浩,庄毅,薛羽,丁卫平.
基于内容和地点维度的机密信息降级策略
Declassification Policy Based on Content and Location Dimensions
计算机科学, 2012, 39(8): 153-157.
[12] 张帆 江敏 吴怀广 徐明迪.
一种基于无干扰的软件动态行为可信性分析方法
Approach for Trust Analysis of Software Dynamic Behavior Based on Noninterference
计算机科学, 2012, 39(1): 101-103.
[13] 司丽敏,蔡勉,陈银镜,郭颖.
一种信任链传递模型研究
Research of a Trust Chain Transfer Model
计算机科学, 2011, 38(9): 79-81.
[14] 张鹏,喻建平,刘宏伟.
传感器网络安全数据融合
Secure Data Aggregation for Sensor Networks
计算机科学, 2011, 38(8): 106-108.
[15] 陈菊,谭良.
一个基于进程保护的可信终端模型
Trusted Terminal Model Based on Process Protection
计算机科学, 2011, 38(4): 115-117.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!