计算机科学 ›› 2018, Vol. 45 ›› Issue (6A): 36-40.
朱浩1,2,陈建平1
ZHU Hao1,2,CHEN Jian-ping1
摘要: 无干扰模型是信息流控制中的基础性安全模型,能确保敏感信息的零泄露,但其安全条件的限制性过强。软件系统由于功能的需要不可避免地需要违反无干扰模型,释放合适的信息。为了防止攻击者利用信息释放的通道获取超额的信息,需要对释放的通道进行控制,建立信息可信降密的策略和实施机制。基于不同维度对现有的降密策略进行归类,大致归并为降密的内容、主体、地点和时间维度;并对现有降密策略的实施机制进行分类,大致可分为静态实施、动态实施和安全多次执行;对这些机制的特点和不足之处进行比较,并探讨了后续研究面临的挑战,展望了未来的研究方向。
中图分类号:
[1]SABELFELD A,SANDS D.Declassification:dimensions and principles[J].Journal of Computer Security,2009,7(5):517-548. [2]姜励.基于程序设计语言的安全降密模型研究[D].杭州:浙江大学,2008. [3]沈昌祥,张大伟,刘吉强,等.可信3.0战略:可信计算的革命性演变[J].中国工程科学,2016,18(6):53-57. [4]沈国华,黄志球,谢冰,等.软件可信评估研究综述:标准、模型与工具[J].软件学报,2016,27(4):955-968. [5]ZHANG L,ZHENGY,KANTOA R.A Review of Homomorphic Encryption and its Applications[C]//Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications.Xi’an,ICST,2016:97-106. [6]VAN DIJK M,JUELS A.On the impossibility of cryptography alone for privacy-preserving cloud computing[C]∥5th USENIX Conference on Hot topics in security (HotSec’10).Washington,USENIX Association,2010:1-8. [7]SABELFELD A,MYERS A C.Language-based information flow security[J].Selected Areas in Communications,2006,21(1):5-19. [8]ALAM MI,HALDER,R.Data-Centric Refinement of Information Flow Analysis of Database Applications[C]∥Proceedings of the Third International Symposium on Security in Computing and Communications.Kochi,Springer International Publishing,2015:506-518. [9]GOGUEN J A,MESEGUER J.Security policies and security models[C]∥Proceedings of IEEE Symposium on Security and Privacy.Oakland:IEEE,1982:11-20. [10]COHEN E.Information transmission in computational systems[J].ACM SIGOPS Operating Systems Review,1977,11(5):133-139. [11]SABELFELD A,SANDS D.A per model of secure information flow in sequential programs[J].Higher-order and Symbolic Computation,2001,14(1):59-91. [12]SABELFELD A,MYERS A.A Model for Delimited Information Release[M]∥Software Security-Theories and Systems.Springer Berlin Heidelberg,2004:174-191. [13]LUX A,MANTEL H.Declassification with explicit reference points[C]∥14th European Conference on Research in Compu-ter Security.Saint-Malo:Springer-Verlag,2009:21-23. [14]ADETOYE A,BADII A.A Policy Model for Secure Information Flow[M]∥Foundations and Applications of Security Analysis.Springer-Verlay,2009:1-17. [15]MICINSKI K,FETTER-DEGGES J,JEON J,et al.Checking Interaction-Based Declassification Policies for Android Using Symbolic Execution[C]∥Proceedings of the 20th European Symposium on Research in Computer Security.Vienna:Springer International Publishing,2015:520-538. [16]GREINER S,GRAHL D.Non-interference with What-Declassification in Component-Based Systems[C]∥Proceedings of the 2016 IEEE 29th Computer Security Foundations Symposium (CSF).Lisbon:IEEE,2016:253-267. [17]HAIGH J T,KEMMERER RA,MCHUGH J,et al.An experience using two covert channel analysis techniques on a real system design [C]∥1986 IEEE Symposium on Security and Privacy.IEEE,1987:14. [18]RUSHBY J.Noninterference,transitivity,and channel-control security policies:CSL-92-02[R].Menlo Park:SRI International Computer Science Laboratory,1992. [19]BALDAN P,BEGGIATO A.Multilevel Transitive and Intransitive Non-interference,Causally[C]∥Proceedings of the 18th IFIP WG 6.1 International Conference.Greece:Springer International Publishing,2016:1-17. [20]EGGERT S,VAN DER MEYDEN R.Dynamic intransitive Noninterference revisited[M]∥Formal Aspects of Computing,2017,29(4):1-34. [21]MANTEL H,SANDS D.Controlled declassification based on intransitive noninterference [M]∥Programming Languages and Systems.Springer Berlin Heidelberg,2004:129-145. [22]HICKS B,KING D,MCDANIEL P,et al.Information release:high-level policy for a security-typed language [C]∥Procee-dings of the 2006 Workshop on Programming Languages and Analysis for Security.Ottawa:ACM Computer Society Press,2006:65-74. [23]ASKAROV A,SABELFELD A.Gradual Release:Unifying Declassification,Encryption and Key Release Policies[C]∥Proceedings of IEEE Symposium on Security and Privacy.Berkeley,CA:IEEE Computer Society Press,2007:207-221. [24]BROBERG N,SANDS D.Flow locks:Towards a core calculus for dynamic flow policies[M]∥Programming Languages and Systems.Springer Berlin Heidelber,2006:180-196. [25]MYERS A C,LISKOV B.Protecting privacy using the decentralized label model [J].ACM Transactions on Software Engineering and Methodology (TOSEM),2000,9(4):410-442. [26]KOZYRI E,ARDEN O,AC MYERS.JRIF:Reactive Information Flow Control for Java[EB/OL].(2016-02-12)[2017-8-21].https://ecommons.cornell.edu/handle/1813/41194. [27]ZDANCEWIC S,MYERS A C.Robust declassification[C]∥Proceedings of IEEE Computer Security Foundations Workshop.Cape Breton:IEEEComputer Society Press,2001:15-23. [28]MYERS A C,SABELFELD A,ZDANCEWIC S.Enforcing robust declassification and qualified robustness[J].Journal of Computer Security,2006,14(2):157-196. [29]ASKAROV A,MYERS A.A semantic framework for declassification and endorsement[C]∥European Conference on Programming Languages and Systems.Springer-Verlag,2010:64-84. [30]ASKAROV A,MYERS A.Attacker control and impact for confidentiality and integrity[J].Logical Methods in Computer Science,2011,7(3):563-572. [31]VOLPANO D,SMITH G.Verifying secrets and relative secrecy [C]∥Proceedings of 27th ACM SIGPLAN-SIGACTSympo-sium on Principles of Programming Languages.Boston,MA:ACM Computer Society Press,2000:268-276. [32]VOLPANO D.Secure introduction of one-way functions[C]∥Proceedings of 13th IEEE Computer Security Foundations Workshop.Cambridge:IEEE Computer Society Press,2000:246-254. [33]CHONG S,MYERS A C.Security policies for downgrading [C]∥ 11th ACM Conference on Computer and Communications Securi-ty.Washington DC:ACM Computer Society Press,2004:198-209. [34]YAO J,TANG Y.Security Downgrading Policies for Competi- tive Bidding System[M]∥Software Engineering and Knowledge Engineering:Theory and Practice.Springer Berlin Heidelberg,2012:587-95. [35]吴泽智,陈性元,杨智,等.信息流控制研究进展[J].软件学报,2017,28(1):135-159. [36]孙聪,唐礼勇,陈钟.基于下推系统可达性分析的程序机密消去机制[J].软件学报,2012,23(8):2149-2162. [37]孙聪,唐礼勇,陈钟.基于下推系统可达性分析的输出信道信息流检测[J].计算机科学,2011,38(7):103-107. [38]MICINSKI K,FETTER-DEGGES J,JEON J,et al.Checking Interaction-Based Declassification Policies for Android Using Symbolic Execution[C]∥Proceedings of 20th European Symposium on Research in Computer Security.Vienna:springer International Publishing,2015:520-538. [39]SABELFELD A,RUSSO A.From dynamic to static and back:Riding the roller coaster of information-flow control research [M]∥Perspectives of Systems Informatics.Springer Berlin Heidelberg,2010,5947:352-365. [40]SHROFF P,SMITH S,THOBER M.Dynamic Dependency Monitoring to Secure Information Flow[C]∥Proceedings of the 20th IEEE Symposiumon Computer Security Foundations.Veni-ce:IEEEComputer Society Press,2007:203-217. [41]RUSSO A,SABELFELD A.Securing timeout instructions in web applications[C]∥Proceedings of the 22nd IEEE Sympo-sium on ComputerSecurity Foundations.Port Jefferson:IEEE Computer Society Press,2009:92-106. [42]金丽,朱浩.基于自动机监控的二维降密策略[J].计算机科学,2015,42(7):194-199. [43]ASKAROV A,SABELFELD A.Tight enforcement of information-release policies for dynamic languages[C]∥Proceedings of the 25nd IEEE Symposium on ComputerSecurity Foundations.Port Jefferson:IEEE Computer Society Press,2012:43-59. [44]SRIDHAR M,HAMLEN K W.Flexible in-lined reference monitor certification:challenges and future directions[C]∥Procee-dings of the 5th ACM Workshop on Programming Languages Meets Program Verification.Austin,Texas:ACM,2011:55-60. [45]朱浩,陈建平,金丽.二维降密策略的内联引用监控方法[J].计算机科学,2016,43(11A):352-354. [46]BOLO I,GARG D.Asymmetric Secure Multi-execution with Declassification[C]∥Proceedings of the 5th International Conference on Principles of Security and Trust.Netherlands:Springer-Verlag New York,2016:24-45. [47]VANHOEF M,GROEF W D,DEVRIESE D,et al.Stateful Declassification Policies for Event-Driven Programs[C]∥Procee-dings of the 2014 IEEE 27th Computer Security Foundations Symposium.Vienna:IEEE Computer Society,2014:293-307. [48]ASKAROV A,SABELFELD A.Localized delimited release: Combining the what andwhere dimensions of information release[C]∥Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security.San Diego:ACM,2007:53-60. [49]MAGAZINIUS J,ASKAROV A,SABELFELD A.Decentra- lized delimited release[C]∥Proceedings of the 9th Asian Conference on Programming Languages and Systems.Kenting,Taiwan:Springer-Verlag,2011:220-237. [50]姜励,陈健,平玲娣,等.多线程程序的信息抹除和降密安全策略[J].浙江大学学报(工学版),2010,44(5):854-862. [51]金丽,朱浩.多线程环境中的二维降密策略[J].计算机科学,2015,42(12):243-246,282. [52]VAN DER MEYDEN R.Architectural refinement and notions of intransitive noninterference [J].Formal Aspects of Computing,2012,24(4):769-792. |
[1] | 王雪健, 赵国磊, 常朝稳, 王瑞云. 信息流格模型的非法流分析 Illegal Flow Analysis for Lattice Model of Information Flow 计算机科学, 2019, 46(2): 139-144. https://doi.org/10.11896/j.issn.1002-137X.2019.02.022 |
[2] | 杜远志,杜学绘,杨智. 基于混合流策略的按需分布式云信息流控制模型 Mixed Flow Policy Based On-demand Distributed Cloud Information Flow Control Model 计算机科学, 2017, 44(10): 150-158. https://doi.org/10.11896/j.issn.1002-137X.2017.10.029 |
[3] | 魏振宇,芦翔,史庭俊. 基于PKI体系的跨域密钥协商协议 Cross-domain PKI-based Key Agreement Protocol 计算机科学, 2017, 44(1): 155-158. https://doi.org/10.11896/j.issn.1002-137X.2017.01.030 |
[4] | 朱浩,陈建平,金丽. 二维降密策略的内联引用监控方法 In-lined Reference Monitor Method of Two-dimension Information Release Policy 计算机科学, 2016, 43(Z11): 352-354. https://doi.org/10.11896/j.issn.1002-137X.2016.11A.081 |
[5] | 陈亮,曾荣仁,李峰,杨伟铭. 基于无干扰理论的信任链传递模型 Trust Chain Transfer Model Based on Non-interference Theory 计算机科学, 2016, 43(10): 141-144. https://doi.org/10.11896/j.issn.1002-137X.2016.10.026 |
[6] | 金 丽,朱 浩. 基于自动机监控的二维降密策略 Declassification Policy Based on Automaton Monitoring 计算机科学, 2015, 42(7): 194-199. https://doi.org/10.11896/j.issn.1002-137X.2015.07.043 |
[7] | 邵婧,陈左宁,殷红武,许国春. 面向PaaS云的信息流控制框架设计与实现 Design and Implementation of Information Flow Control Framework for PaaS 计算机科学, 2015, 42(12): 257-262. |
[8] | 金丽,朱 浩. 多线程环境中的二维降密策略 Two-dimension Declassification Policy in Multithreaded Environments 计算机科学, 2015, 42(12): 243-246. |
[9] | 冯贵兰,谭良. 基于信任值的云存储数据确定性删除方案 Data Assured Deletion Scheme Based on Trust Value for Cloud Storage 计算机科学, 2014, 41(6): 108-112. https://doi.org/10.11896/j.issn.1002-137X.2014.06.022 |
[10] | 陈曙,叶俊民,张帆. 一种基于污点数据传播和无干扰理论的软件行为可信性分析模型 Taint Trace with Noninterference Based Approach for Software Trust Analysis 计算机科学, 2013, 40(5): 184-188. |
[11] | 朱浩,庄毅,薛羽,丁卫平. 基于内容和地点维度的机密信息降级策略 Declassification Policy Based on Content and Location Dimensions 计算机科学, 2012, 39(8): 153-157. |
[12] | 张帆 江敏 吴怀广 徐明迪. 一种基于无干扰的软件动态行为可信性分析方法 Approach for Trust Analysis of Software Dynamic Behavior Based on Noninterference 计算机科学, 2012, 39(1): 101-103. |
[13] | 司丽敏,蔡勉,陈银镜,郭颖. 一种信任链传递模型研究 Research of a Trust Chain Transfer Model 计算机科学, 2011, 38(9): 79-81. |
[14] | 张鹏,喻建平,刘宏伟. 传感器网络安全数据融合 Secure Data Aggregation for Sensor Networks 计算机科学, 2011, 38(8): 106-108. |
[15] | 陈菊,谭良. 一个基于进程保护的可信终端模型 Trusted Terminal Model Based on Process Protection 计算机科学, 2011, 38(4): 115-117. |
|