Elisa Bertino
Sabrina De Capitani Di Vimercati
Abstract
We present an approach to control information flow in object-oriented systems. The decision of whether an information flow is permitted or denied depends on both the authorizations specified on the objects and the process by which information is obtained and transmitted. Depending on the specific computations, a process accessing sensitive information could still be allowed to release information to users who are not allowed to directly access it. Exceptions to the permissions and restrictions stated by the authorizations are specified by means of exceptions associated with methods. Two kinds of exceptions are considered: invoke exceptions, applicable during a mehtod execution and reply exceptions applicable to the information returned by a method. Information flowing from one object into another or returned to the user is subject to the different exceptions specified for the methods enforcing the transmission. We formally characterize information transmission and flow in a transaction and define the conditions for safe information flow. We define security specifications and characterize safe information flows. We propose an approach to control unsafe flows and present an algorithm to enforce it. We also illustrate an efficient implementation of our controls and present some experimental results evaluating its performance.
- ANDREWS, G. R. AND REITMAN, R. P. 1980. An axiomatic approach to information flow in programs. ACM Trans. Program. Lang. Syst. 2, 1, 56-76. Google Scholar
Digital Library
- BELL, D. E. AND LAPADULA, L.J. 1976. Secure computer systems: Unified exposition and multics interpretation. Tech Rep. ESD-TR-75-306. MITRE Corp., Bedford, MA.Google Scholar
- BINGHAM, H.W. 1974. Access controls in Burroughs large systems. Privacy and Security in Computer Systems, Tech. Rep. 404. National Bureau of Standards, Washington, DC.Google Scholar
- BOEBERT, W. E. AND FERGUSON, C. T. 1985. A partial solution to the discretionary Trojan horse problem. In Proceedings of the 8th National Conference on Computer Security. 141-144.Google Scholar
- CAREY, M., DEWITT, D., AND NAUGHTON, J. 1993. The 007 benchmark. In Proceedings of the 1993 SIGMOD Conference. ACM Press, New York, NY, 12-21. Google Scholar
- CASTANO, S., FUGINI, M. G., MARTELLA, G., AND SAMARATI, P. 1995. Database Security. ACM Press/Addison-Wesley Publ. Co., New York, NY. Google Scholar
- CROCKER, S. AND POZZO, M. 1989. A verification-based filter. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 319-324.Google Scholar
- DENNING, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 2, 236 -243. Google ScholarDigital Library
- DENNING, D. E. 1982. Cryptography and Data Security. ACM Press/Addison-Wesley Publ. Co., New York, NY. Google Scholar
- GRAUBART, R. 1989. On the need for a third form of access control. In Proceedings of the 12th National Conference on Computer Security (Gaithersburg, MD). 296-303.Google Scholar
- INFORMIX SOFTWARE, INC., 1993. Informix-Online/Secure. Security Features User's Guide. Informix Software, Inc.Google Scholar
- JAJODIA, S. AND KOGAN, B. 1990. Integrating an object-oriented data model with multilevel security. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 76-84.Google Scholar
- KARGER, P.A. 1987. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 32-37.Google Scholar
- KEMMERER, R.A. 1982. A practical approach to identifying storage and timing channels. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 66-71.Google Scholar
- KING, M. M. 1991. Identifying and controlling undesirable program behaviors. In Proceedings of the 14th NIST-NCSC National Conference on Computer Security (Washington, D. C., Oct.). 283-294.Google Scholar
- MCCOLLUM, C. J., MESSING, J. R., AND NOTARGIACOMO, L. 1990. Beyond the pale of MAC and DAC--Defining new forms of access control. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 190-200.Google Scholar
- MIZUNO, M. AND SCHMIDT, D. 1990. A security flow control algorithm and its denotational semantics correctness proof. Tech. Rep., Computing and Information Science Dept., Kansas State Univ.Google Scholar
- ORACLE CORP., 1996. Trusted Oracle Administrator's Guide. Oracle Corp.Google Scholar
- SAMARATI, P., BERTINO, E., CIAMPICHETTI, A., AND JAJODIA, S. 1997. Information flow control in object-oriented systems. IEEE Trans. Knowl. Data Eng. 9, 4, 524-538. Google ScholarDigital Library
- STOUGHTON, A. 1981. Access flow: A protection model which integrates access control and information flow. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 9-18.Google Scholar
- SYBASE, INC., 1993. Sybase Secure SQL Server. Sybase, Inc.Google Scholar
- WALTER, K. G., OGDEN, W. F., ROUNDS, W. C., BRADSHAW, F. T., SUMAWAY, D. G., AND AMES, S. R. 1974. Primitive models for computer security. Tech. Rep. TR ESD-TR-4-117. Case Western Reserve Univ.Google Scholar
- WILKINSON, A. L., ANDERSON, D. H., CHANG, D. P., HIN, L. H., MAYO, A. J, VINEY, I. T., WILLIAMS, R., AND WRIGHT, W. 1981. A penetration analysis of a Burroughs large system. ACM SIGOPS Oper. Syst. Rev. 1, 15 (Jan.), 14-25. Google Scholar
Index Terms
- Exception-based information flow control in object-oriented systems
Recommendations
Providing flexibility in information flow control for object oriented systems
SP '97: Proceedings of the 1997 IEEE Symposium on Security and PrivacyAbstract: This paper presents an approach to control information flow in object-oriented systems that takes into account, besides authorizations on objects, also how the information has been obtained and/or transmitted. These aspects are considered by ...
An Access and Information Flow Control Paradigm for Secure Information Sharing in Service-Based Systems
COMPSAC '15: Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference - Volume 01Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent ...
Realizing Information Flow Control in ABAC Mining
Cyberspace Safety and SecurityAbstractAttribute-Based Access Control (ABAC) is an emerging access control model. It is increasingly gaining popularity, mainly because of its flexible and fine-grained access control. As a result, many Role-Based Access Control (RBAC) systems are ...
Reviews
Christoph E. Bannwart
In a database management system (DBMS), access control usually takes two forms: discretionary (DAC) and mandatory (MAC). DAC is supported in SQL through the GRANT command. In MAC, a security class is assigned to each database object and user. As Raghu Ramakrishnan has remarked, “The main drawback of mandatory access control schemes is their rigidity.…A satisfactory combination of discretionary and mandatory access controls is yet to be achieved” [1]. This situation is the starting point of the research and paper by Bertino et al. Their approach, which they call “flow control,” makes use of the fact that, in an object-oriented database management system (OODBMS), all information is accessed by procedures (methods). The authors propose to associate each procedure with a set of exceptions to the existing authorization schemes. In this way, they hope to provide the flexibility that is lacking in any combination of DAC and MAC. After an outline of their approach, the authors specify a language to express the exceptions and the exception conditions. Then they define “safe information flow” between objects and describe how unsafe flows could be controlled by message filtering. Other issues they deal with are the performance of flow control and the certification of exception and method specifications. The conclusion points to an important issue that may well decide whether the proposed approach will be practical for commercial systems: the administration of authorization and exceptions and the understanding of their interworking. In the meantime, this paper will form a good basis for an informed discussion of authorization in object-oriented systems.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments