Assumptions and Guarantees for Compositional Noninterference

Heiko Mantel, David Sands, Henning Sudbrock
2011 2011 IEEE 24th Computer Security Foundations Symposium  
The idea of building secure systems by plugging together "secure" components is appealing, but this requires a definition of security which, in addition to taking care of toplevel security goals, is strengthened appropriately in order to be compositional. This approach has been previously studied for information-flow security of shared-variable concurrent programs, but the price for compositionality is very high: a thread must be extremely pessimistic about what an environment might do with
more » ... ed resources. This pessimism leads to many intuitively secure threads being labelled as insecure. Since in practice it is only meaningful to compose threads which follow an agreed protocol for data access, we take advantage of this to develop a more liberal compositional security condition. The idea is to give the security definition access to the intended pattern of data usage, as expressed by assumption-guarantee style conditions associated with each thread. We illustrate the improved precision by developing the first flow-sensitive security type system that provably enforces a noninterference-like property for concurrent programs.
doi:10.1109/csf.2011.22 dblp:conf/csfw/MantelSS11 fatcat:ldr7p73czzcl5egspa5nxcdnom