kth.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
To Secure a Flow: From Specification to Enforcement of Information Flow Control
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS. (Language-Based Security)ORCID iD: 0000-0003-2198-9818
2025 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The use of software has become increasingly prevalent, affecting nearly every aspect of our daily lives.  In this landscape, ensuring the security of software systems is more critical than ever, as vulnerabilities can lead to significant social and financial consequences.  Information flow control is a research area focused on developing methods and techniques to provide strong security guarantees against software attacks and vulnerabilities.  Information flow control achieves this by tracking how information flows within a program, ensuring that sensitive data does not reach unauthorized outputs.  This process can be challenging as it requires precisely defining the software system's security policy and developing mechanisms to enforce that policy against different types of attackers with varying capabilities.  

In this thesis, we examine language-based approaches to enforcing information flow control in software systems, with a focus on defining appropriate security policies, attacker models, and enforcement mechanisms to proactively secure modern software systems.  The thesis contributes to the state of the art of information flow security in several directions, both theoretical and practical, by investigating four key research questions: defining non-trivial security policies for real-world scenarios, developing appropriate attacker models, creating mechanisms to enforce information flow security conditions, and applying language-based techniques to real-world programming languages.  On the policy specification side, we provide a knowledge-based security framework capable of expressing many variants of dynamic policies as well as the Determinacy Quantale, a new semantic model for expressing disjunctive policies in database-backed programs, focusing on the conflict-of-interest classes.  We examine the role of attackers in defining security conditions, specifically two types of active attackers and three types of passive attackers with various degrees of capabilities.  Moreover, we investigate enforcement mechanisms, such as security type systems and symbolic execution, developed to statically enforce various information flow security policies.  Finally, to demonstrate the applicability of language-based approaches in real-world programs, we implement and evaluate the proposed enforcement mechanisms in the programming languages Java and P4.
Abstract [sv]

Användningen av mjukvara har blivit alltmer utbredd och påverkar i stort sett alla aspekter av våra dagliga liv. I detta sammanhang är det viktigare än någonsin att säkerställa säkerheten i mjukvarusystem, eftersom sårbarheter kan leda till betydande sociala och ekonomiska konsekvenser. Informationsflödeskontroll är ett forskningsområde som fokuserar på att utveckla metoder och tekniker för att tillhandahålla starka säkerhetsgarantier mot mjukvaruattacker och sårbarheter. Informationsflödeskontroll uppnår detta genom att spåra hur information flödar i ett program och säkerställa att känslig data inte når obehöriga utdata. Denna process kan vara utmanande eftersom den kräver en exakt definition av mjukvarusystemets säkerhetspolicy och utveckling av mekanismer för att upprätthålla policyn mot olika typer av angripare med varierande förmågor.

I denna avhandling undersöker vi språkbaserade tillvägagångssätt för att upprätthålla informationsflödeskontroll i mjukvarusystem, med fokus på att definiera lämpliga säkerhetspolicies, angriparmodeller och mekanismer för verkställande för att proaktivt säkra moderna mjukvarusystem. Avhandlingen bidrar till den aktuella forskningen inom informationsflödesäkerhet på flera sätt, både teoretiska och praktiska, genom att undersöka fyra centrala forskningsfrågor: att definiera icke-triviala säkerhetspolicies för verkliga scenarier, att utveckla relevanta angriparmodeller, att skapa mekanismer för att upprätthålla villkor för informationsflödesäkerhet samt att tillämpa språkbaserade tekniker på verkliga programmeringsspråk. När det gäller policy-specifikation presenterar vi ett kunskapsbaserat säkerhetsramverk som kan uttrycka många varianter av dynamiska policies samt Determinacy Quantale, en ny semantisk modell för att uttrycka disjunktiva policies i databasstödda program, med särskilt fokus på intressekonfliktklasser. Vi undersöker angriparens roll i att definiera säkerhetsvillkor, särskilt två typer av aktiva angripare och tre typer av passiva angripare med olika grad av förmågor. Vi undersöker mekanismer för efterlevnad, såsom säkerhetstypsystem och symbolisk exekvering, som utvecklats för att statiskt upprätthålla olika informationsflödessäkerhetspolicies. Slutligen, för att demonstrera användbarheten av språkbaserade metoder i verkliga program, implementerar och utvärderar vi de föreslagna mekanismerna på språk Java och P4.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2025. , p. 341
Series
TRITA-EECS-AVL ; 2025:22
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-360008ISBN: 978-91-8106-199-4 (print)OAI: oai:DiVA.org:kth-360008DiVA, id: diva2:1937581
Public defence
2025-03-11, Kollegiesalen, Brinellvägen 6, Stockholm, 09:00 (English)
Opponent
Supervisors
Note

QC 20250214

Available from: 2025-02-14 Created: 2025-02-13 Last updated: 2025-02-25Bibliographically approved
List of papers
1. Language Support for Secure Software Development with Enclaves
Open this publication in new window or tab >>Language Support for Secure Software Development with Enclaves
2021 (English)Conference paper, Published paper (Refereed)
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-295509 (URN)10.1109/CSF51468.2021.00037 (DOI)000719322000019 ()2-s2.0-85125316246 (Scopus ID)
Conference
IEEE Computer Security Foundations Symposium (CSF 2021)
Note

QC 20210524

Available from: 2021-05-21 Created: 2021-05-21 Last updated: 2025-02-14Bibliographically approved
2. Enclave-Based Secure Programming with JE
Open this publication in new window or tab >>Enclave-Based Secure Programming with JE
2021 (English)In: 2021 IEEE SECURE DEVELOPMENT CONFERENCE (SECDEV 2021), Institute of Electrical and Electronics Engineers (IEEE) , 2021Conference paper, Published paper (Refereed)
Abstract [en]

Over the past few years, major hardware vendors have started offering processors that support Trusted Execution Environments (TEEs) allowing confidential computations over sensitive data on untrusted hosts. Unfortunately, developing applications that use TEEs remains challenging. Current solutions require using low-level languages (e.g., C/C++) to handle the TEE management process manually a complex and error-prone task. Worse, the separation of the application into components that run inside and outside the TEE may lead to information leaks. In summary, TEEs are a powerful means to design secure applications, but there is still a long way to building secure software with TEEs alone. In this work, we present J(E), a programming model for developing TEE-enabled applications where developers only need to annotate Java programs to define application-level security policies and run them securely inside enclaves.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2021
Keywords
Information Flow Control, Trusted Execution Environment, Security Type System
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-301750 (URN)10.1109/SecDev51306.2021.00026 (DOI)000797871400015 ()2-s2.0-85124349071 (Scopus ID)
Conference
6th IEEE Secure Development Conference (SecDev'21), 18-20 October, 2021, Virtual/Online
Projects
TrustFullJointForceSOS
Note

QC 20210923

QC 20220708

Available from: 2021-09-10 Created: 2021-09-10 Last updated: 2025-02-14Bibliographically approved
3. Dynamic Policies Revisited
Open this publication in new window or tab >>Dynamic Policies Revisited
2022 (English)In: Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022, Institute of Electrical and Electronics Engineers (IEEE), 2022, p. 448-466Conference paper, Published paper (Refereed)
Abstract [en]

Information flow control and dynamic policies is a difficult relationship yet to be fully understood. While dynamic policies are a natural choice in many real-world applications that downgrade and upgrade the sensitivity of information, understanding the meaning of security in this setting is challenging. In this paper we revisit the knowledge-based security conditions to reinstate a simple and intuitive security condition for dynamic policies: A program is secure if at any point during the execution the attacker's knowledge is in accordance with the active security policy at that execution point. Our key observation is the new notion of policy consistency to prevent policy changes whenever an attacker is already in possession of the information that the new policy intends to protect. We use this notion to study a range of realistic attackers including the perfect recall attacker, bounded attackers, and forgetful attackers, and their relationship. Importantly, our new security condition provides a clean connection between the dynamic policy and the underlying attacker model independently of the specific use case. We illustrate this by considering the different facets of dynamic policies in our framework. On the verification side, we design and implement DynCoVer, a tool for checking dynamic information-flow policies for Java programs via symbolic execution and SMT solving. Our verification operates by first extracting a graph of program dependencies and then visiting the graph to check dynamic policies for a range of attackers. We evaluate the effectiveness and efficiency of DyncoVeron a benchmark of use cases from the literature and designed by ourselves, as well as the case study of a social network. The results show that DynCoVer can analyze small but intricate programs indicating that it can help verify security-critical parts of Java applications. We release Dyncover publicly to support open science and encourage researchers to explore the topic further.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2022
National Category
Computer Systems Other Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-309603 (URN)10.1109/EuroSP53844.2022.00035 (DOI)000851574500027 ()2-s2.0-85134038311 (Scopus ID)
Conference
7th IEEE European Symposium on Security and Privacy, Genoa, 6 June 2022,through 10 June 2022
Projects
JointForceInferVizTrustFull
Note

QC 20220927

Part of proceedings: ISBN 978-166541614-6

Available from: 2022-03-07 Created: 2022-03-07 Last updated: 2025-02-14Bibliographically approved
4. Disjunctive Policies for Database-Backed Programs
Open this publication in new window or tab >>Disjunctive Policies for Database-Backed Programs
2024 (English)In: 2024 IEEE 37TH Computer Security Foundations Symposium, CSF 2024, Institute of Electrical and Electronics Engineers (IEEE) , 2024, p. 388-402Conference paper, Published paper (Refereed)
Abstract [en]

When specifying security policies for databases, it is often natural to formulate disjunctive dependencies, where a piece of information may depend on at most one of two dependencies P-1 or P-2, but not both. A formal semantic model of such disjunctive dependencies, the Quantale of Information, was recently introduced by Hunt and Sands as a generalization of the Lattice of Information. In this paper, we seek to contribute to the understanding of disjunctive dependencies in database-backed programs and introduce a practical framework to statically enforce disjunctive security policies. To that end, we introduce the Determinacy Quantale, a new query-based structure which captures the ordering of disjunctive information in databases. This structure can be understood as a query-based counterpart to the Quantale of Information. Based on this structure, we design a sound enforcement mechanism to check disjunctive policies for database-backed programs. This mechanism is based on a type-based analysis for a simple imperative language with database queries, which is precise enough to accommodate a variety of row- and column-level database policies flexibly while keeping track of disjunctions due to control flow. We validate our mechanism by implementing it in a tool, DIVERT, and demonstrate its feasibility on a number of use cases.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2024
Series
Proceedings IEEE Computer Security Foundations Symposium, ISSN 1940-1434
National Category
Computer Sciences Computer Systems
Identifiers
urn:nbn:se:kth:diva-356018 (URN)10.1109/CSF61375.2024.00017 (DOI)001322679500026 ()2-s2.0-85205942253 (Scopus ID)
Conference
37th IEEE Computer Security Foundations Symposium (CSF), JUL 08-12, 2024, Enschede, NETHERLANDS
Note

Part of ISBN 979-8-3503-6204-6, 979-8-3503-6203-9

QC 20241111

Available from: 2024-11-11 Created: 2024-11-11 Last updated: 2025-02-14Bibliographically approved

Open Access in DiVA

thesis(74421 kB)254 downloads
File information
File name FULLTEXT01.pdfFile size 74421 kBChecksum SHA-512
2d514a80ea030e6bd7bb98bc61f9614952c73acef8afec47243ba2770e9e1bfde5512d2618c54186bb56e6d8677506ccf95247879fb95da9d067f37def499bc3
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Ahmadian, Amir M.
By organisation
Theoretical Computer Science, TCS
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 254 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1516 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.46.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub