July 2015, Verona, Italy
Because information flow control mechanisms often rely on an underlying authorization mechanism, their security guarantees can be subverted by weaknesses in authorization. Conversely, the security of authorization can be subverted by information flows that leak information or that corrupt the trust configuration. We argue that interactions between information flow and authorization create security vulnerabilities that have not been fully identified or addressed in prior work. We explore how the security of decentralized information flow control (DIFC) is affected by three aspects of its underlying authorization mechanism: first, delegation of authority between principals; second, revocation of previously delegated authority; third, information flows created by the authorization mechanisms themselves. It is no surprise that revocation poses challenges, but we show that even delegation is problematic because it enables unauthorized downgrading. Our solution is a new security model, the Flow-Limited Authorization Model (FLAM), which offers a new, integrated approach to authorization and information flow control. FLAM ensures robust authorization, a novel security condition for authorization queries that ensures attackers cannot influence authorization decisions or learn confidential trust relationships. We discuss our prototype implementation and its algorithm for proof search.
Check your understanding of this paper by solving the following problems!
Assume p and q are primitive principals.
- Check that Definition 3 makes sense. Show that p ⊑ p ⊔ q and p ⊓ q ⊑ q. Convert these information-flow expressions into the authorization-lattice equivalents, and put the principals on both sides of the resulting inequalities into the shortest normal form possible.
Let X = ⊤→ and Y = ⊤←. Verify that X and Y are the top and bottom
elements of the information-flow lattice by writing the following
in the shortest normal form possible:
- p ⊔ X
- p ⊓ X
- p ⊔ Y
- p ⊓ Y