Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield,...
-
Upload
rosanna-lloyd -
Category
Documents
-
view
227 -
download
1
Transcript of Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield,...
![Page 1: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/1.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Language-Based Information Flow Security
Andrei Sabelfield, Andrew C. Myers
Presentation: Ashish [email protected]
![Page 2: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/2.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Outline• Security requirements
• Information flow – background
• Language-based information flow
• Open challenges
• Discussion
• Conclusion
![Page 3: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/3.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Information flow?
h
l
h
l
data flow
confidential
confidential
h
l
confidential
open
![Page 4: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/4.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Information flow?
h
l
h
l
data flow
confidential
confidential
h
l
confidential
open
leak?
![Page 5: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/5.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Information flow?
data flow
h
l
confidential
open but trusted
l’ open but non-trusted
![Page 6: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/6.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Information flow?
data flow
h
l
confidential
open but trusted
l’ open but non-trusted
encrypted: h l
e.g. password sharing
![Page 7: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/7.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Information flow?
data flow
h
l
confidential
open but trusted
No leak
l’ open but non-trusted
may flow?leak
![Page 8: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/8.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Explicit Information Flow
data flow
h
l
confidential
open but trusted
No leak
l’ open but non-trusted
may flow?leak
h
l
confidential
open
leak
![Page 9: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/9.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Property-I of IFlow
• Confidentiality: A rigorous requirement
– can confidentiality guarantee of a system be proven?
![Page 10: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/10.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Implicit Information Flow
if h=1
l=1 l=0
control flow
true
![Page 11: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/11.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Implicit Information Flow
if h=1
l=1 l=0
control flow
true
l => h
Leak: implicit
![Page 12: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/12.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Implicit Information Flow
if h=1
l=1 l=0
control flow
true Leak: implicit
![Page 13: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/13.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Property-I of IFlow• Confidentiality: A rigorous requirement
– can confidentiality guarantee of a system be proven?
– can explicit and implicit flows be controlled?
• Relationship with data and control dependency ???
![Page 14: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/14.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Covert channels• Implicit flows
– covert• Termination channel
– termination-sensitive confidentiality• Timing channels
– subsumes termination channel• Probabilistic channel
– PDF of output data• Resource exhaustion channel
– memory or disk space: high value for malloc()• Power channels
– related: recent work about the age of running system – thus attack vulnerability
![Page 15: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/15.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Properties of IFlow• No propagation of high confidential data to
low confidential container
• Rigor: On all paths - no leak – makes it easy for static-time solutions
![Page 16: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/16.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Mechanisms• Access control
– controls release of information, not propogation
– no control on “how data is used”
• Language-based techniques– Runtime: JVM – applets, sandbox– Bytecode verifier
• no control on propagation
• Type systems
![Page 17: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/17.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Type systems• Compositional reasoning
– incremental construction: from a correct system to a larger and correct system
– structural induction (will return to this later)
– objective: correct computation– modified objective: correct confidentiality-
preserving computation
![Page 18: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/18.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Type systems• Compositional reasoning
– incremental construction: from a correct system to a larger and correct system
– structural induction (will return to this later)
• Objective: correct computation– modified objective: correct confidentiality-
preserving computation
![Page 19: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/19.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Explicit Information Flow
h
l
confidential
open
leak
high
low
high
high
high
higher
X
![Page 20: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/20.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Explicit Information Flow
high
high
high
higher
partial order lattice modelof confidentiality
goodfor static analysis
Label creep
MAC
![Page 21: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/21.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Static Information Flow Control• Program analysis: Denning and Denning
• Theorem provers
• Type checking
![Page 22: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/22.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Type checking• Security type systems
– oridinary type: int, char– label: static labeling on its confidentiality
semantics
• Static type checking detects leaks– conservative: so false positive
• structural induction
– cannot completely control covert channels• semantics – values Undecidability
![Page 23: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/23.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Type checking• Security type systems
– oridinary type: int, char– label: static labeling on its confidentiality
semantics
• Static type checking detects leaks– conservative: so false positive
• structural induction
– cannot completely control covert channels• semantics – values Undecidability
![Page 24: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/24.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Explicit Information Flow
high
low
high
high
high
higher
X
{ high }
{ low }
X
![Page 25: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/25.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Non-interference
high
low
high
high
high
higher
X
{ high }
{ low }
Xnon-interference
no explicit or implicit pathfrom any high to any low
![Page 26: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/26.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Non-interference
high
low
high
high
high
higher
X
{ high }
{ low }
Xnon-interference
no explicit or implicit pathfrom any high to any low
No dependency: data or control
![Page 27: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/27.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Semantics-based security• variation of high input does NOT lead to
(observable) variation on low output
![Page 28: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/28.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Semantics-based security• Two inputs are equivalent if they agree on low
output values
![Page 29: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/29.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Semantics-based security• Two inputs are
equivalent if they agree on low output values
![Page 30: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/30.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Semantics-based security• Two inputs are
equivalent if they agree on low output values
![Page 31: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/31.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Semantics-based security• l: = h• if (h=3) then l:=5 else skip
![Page 32: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/32.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Security Type System
![Page 33: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/33.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Security Type System• Restrictive, because it has to be secure in
an incremental and compositional manner
![Page 34: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/34.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Directions• Expressiveness
• Concurrency
• Covert channels
• Refining security policies
![Page 35: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/35.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Directions
![Page 36: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/36.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Expressiveness• Functions
– SLam: First-class functions [Heintze et al]• non-interference
– First-class continuations [Zdancewic et al]• non-interference
• Exceptions– explicit and implicit flows– path labeling by Myers
• JFlow by Myers: Java – Jif compiler
![Page 37: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/37.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Concurrency• Nondeterminism
![Page 38: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/38.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Concurrency• Nondeterminism: possibilistic security
condition– set of high inputs may not affect set of low
outputs– dependencies between variables
![Page 39: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/39.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Concurrency• Nondeterminism: possibilistic security
condition– equational security property
![Page 40: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/40.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Concurrency• Nondeterminism: possibilistic security condition
– partial equivalence relations
• PER: symmetric and transitive over a subset of inputs
![Page 41: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/41.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Concurrency• Thread concurrency
– non-atomicity
• Non-interference requirements: – no “high” guard in a while loop– no if with “high” guard having a while loop in its branch
• termination leak• timing leak
![Page 42: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/42.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Concurrency• Thread concurrency
– non-atomicity
• Non-interference requirements: – no “high” guard in a while loop– no if with “high” guard having a while loop in its branch
• termination leak• timing leak
![Page 43: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/43.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Concurrency• Thread concurrency
– non-atomicity
• Scheduler-independent security– uniform scheduler [Sabelfield and Sands]
• Type systems: rule out synchronization on “high” data.– Sabelfield
![Page 44: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/44.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Distributed programs• non-trusted parties
• parties’ concurrency property
• failures
• Secure program partitioning: high and low
![Page 45: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/45.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Discussion• Illustrated Security type system : simple yet
powerful – expressive– precise– easily extensible to a lattice model of access control
• Organization of the survey addresses– all langauge-level factors clearly and precisely– illustrates important issues and challenges with simple
examples– considers both formal approaches and informal
aproaches in the light of the • hard-ness• undecidability of the geneal nature of the problem
![Page 46: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/46.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Critique• Presentation very compact: lacking
– useful illustration and explanation of the concepts and approaches
– relation between various approaches need to be established
• How to make the approaches such as security type systems part of pragmatic languages
• Needed to address program certification more detailed in a compositional framework
![Page 47: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/47.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Some Ideas• Slicing towards proving non-interference
• Use of SSA in checking policy-violations
![Page 48: Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu.](https://reader033.fdocuments.net/reader033/viewer/2022052603/56649cfa5503460f949cc2d4/html5/thumbnails/48.jpg)
Ashish Kundu CS590F Purdue 02/12/07
Some Ideas• Error Handling: an error violation of integrity
policy– dual of confidentiality: <high, low> :: <low’,
high’>
• Exceptions resulting in termination– illegal flow of information?– self-healing systems