Options
Assumptions and guarantees for compositional noninterference
Publikationstyp
Conference Paper
Date Issued
2011-06
Sprache
English
Author(s)
Start Page
218
End Page
232
Article Number
5992165
Citation
Proceedings - IEEE Computer Security Foundations Symposium: 5992165, 218-232 (2011-09-16)
Contribution to Conference
Publisher DOI
Scopus ID
Publisher
IEEE
The idea of building secure systems by plugging together "secure" components is appealing, but this requires a definition of security which, in addition to taking care of top-level security goals, is strengthened appropriately in order to be compositional. This approach has been previously studied for information-flow security of shared-variable concurrent programs, but the price for compositionality is very high: a thread must be extremely pessimistic about what an environment might do with shared resources. This pessimism leads to many intuitively secure threads being labelled as insecure. Since in practice it is only meaningful to compose threads which follow an agreed protocol for data access, we take advantage of this to develop a more liberal compositional security condition. The idea is to give the security definition access to the intended pattern of data usage, as expressed by assumption-guarantee style conditions associated with each thread. We illustrate the improved precision by developing the first flow-sensitive security type system that provably enforces a noninterference-like property for concurrent programs.
Subjects
Assumption-Guarantee
Compositional Verification
Flow-Sensitivity
Information Flow Security
DDC Class
004: Informatik