Information flow security has long been a focus of the security community. Information flow secrecy implies that information is not leaked to unauthorized principals (i.e., those whose clearance is dominated by the access class of the data). Information flow integrity implies that a subject not depend on (i.e., read or execute) any lower integrity information.
In classical lattice security models (Bell-LaPadula and Biba), secrecy and integrity are treated as duals of one another, where information may only flow up the secrecy lattice (i.e., to principals of higher clearance), and information may only flow down the integrity lattice (i.e., to less trusted principals). Information flow secrecy has seen broad application in computing systems in the last 30 years, but it has limitations: (1) often applications are entrusted with managing information flow secrecy guarantees outside the enforcement mechanism's purview and (2) it is often necessary to reduce the secrecy of information for a broader good, but this is outside the information flow secrecy models; and (3) the secrecy relationships themselves may change over time. These problems have vexed security researchers for the last 30 years.
The situation for information flow integrity has been even worse. Models of information flow integrity (e.g., Biba, LOMAC, Clark-Wilson) have been proposed, but have not been adopted. Integrity has been address in an ad hoc manner by filtering data entering a network or has been left to applications.
Our belief is that information flow is the right basis for information security goals (e.g., rather than more imprecise goals like least privilege), but that it is necessary to understand information flow more precisely to manage it. We have two project directions: (1) models for automatic analysis of integrity information flows and (2) use of application-level information flows to obtain more accurate information flow enforcement.
Our early work focused on building a policy analysis tool, called Gokyo, to understanding information flow integrity in the SELinux strict policy.
Trent Jaeger and Reiner Sailer and Xiaolan Zhang. Resolving Constraint Conflicts. in SACMAT, pages 105--114. June, 2004.
Trent Jaeger and Reiner Sailer and Xiaolan Zhang. Analyzing Integrity Protection in the SELinux Example Policy. in Proceedings of the 11th USENIX Security Symposium, pages 59--74. August, 2003.
Trent Jaeger and Xiaolan Zhang and Antony Edwards. Policy Management Using Access Control Spaces. ACM Transactions on Information and System Security, 6(3):327--364. 2003.
We found that the practical understanding of integrity most closely corresponded to the Clark-Wilson integrity model, but there were requirements of this that could not be met in practice. As a result, we defined a weakened version of Clark-Wilson that enabled practical application, called CW-Lite. We also assessed the efficacy of applying integrity measurement to CW-Lite.
Trent Jaeger and Reiner Sailer and Umesh Shankar. PRIMA: Policy-reduced Integrity Measurement Architecture. In Proceedings of the 11th ACM Symposuim on Access Control Models and Technologies. June 2006.
Umesh Shankar and Trent Jaeger and Reiner Sailer. Toward Automated Information-Flow Integrity Verification for Security-Critical Applications. In Proceedings of the 13th Annual Network and Distributed Systems Security Symposium. February 2006.
The key aspect of the CW-Lite model is that applications generally have a small number of interfaces through which they access low integrity data. These interfaces must be designed to protect the application from this data (i.e., upgrade or discard it), but there has been no principled way for verifying that the application protects itself. We are working to combine the information flow analysis of system policies that show us how information flows with the secrecy and integrity information flow enforcement of the Jif programming language to gain a complete and provable view of information flow enforcement.
Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel. From Trusted to Secure: Building and Executing Applications that Enforce System Security In Proceedings of the 2007 USENIX Annual Technical Conference. June 2007.
Boniface Hicks, Sandra Rueda, Luke St. Clair, Trent Jaeger, and Patrick McDaniel. A Logical Specification and Analysis for SELinux MLS Policy In Proceedings of the 12th ACM Symposuim on Access Control Models and Technologies. June 2007.
Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel. Integrating SELinux with Security-Typed Languages. In Proceedings of the Third SELinux Symposuim. March 2007.
See above.
Thanks to IBM Research and the IBM Linux Technology Center for enabling continuation of this research.
Back to Trent Jaeger's Home Page CSE Department Pennsylvania State University