Dynamic, Flow Control-Based Information Management for Web Services

2011 ◽  
pp. 260-303
Author(s):  
Zahir Tari ◽  
Peter Bertok ◽  
Dusan Simic
Keyword(s):  
Web Services ◽  
Flow Control ◽  
Programming Languages ◽  
Information Management ◽  
Information Flow ◽  
Data Structures ◽  
Information Leakage ◽  
Information Flow Control ◽  
Proposed Model ◽  
Flow Of Information

Information Flow Control (IFC) is a method of enforcing confidentiality by using labels, data structures for specifying security classifications. IFC is used in programming languages to monitor procedures in an attempt to detect and prevent information leakage. While it ensures greater security, IFC excessively restricts flow of information. This chapter presents a model of information flow control using semi-discretionary label structures. We propose a set of rules that not only increase the flexibility of IFC, but also define labels as a practical component of a security system. We propose a dynamic approach using a centralized model for dynamic label checking, and verify the proposed model using theoretical proofs.

ASSOCIATION-BASED INFORMATION FLOW CONTROL IN OBJECT-ORIENTED SYSTEMS

2004 ◽  
Vol 14 (03) ◽  
pp. 291-322
Author(s):  
SHIH-CHIEN CHOU ◽  
YING-KAI WEN
Keyword(s):  
Flow Control ◽  
Information Flow ◽  
Information Leakage ◽  
Object Oriented ◽  
Control Model ◽  
Program Execution ◽  
Information Flows ◽  
Information Flow Control ◽  
Object Oriented Systems

Controlling information flows to prevent information leakage within an application is essential. According to the maturity of object-oriented techniques, many models were developed for the control in object-oriented systems. Since objects may be dynamically instantiated during program execution, controlling information flows among objects is difficult. Our research revealed that association is useful in the control. We developed an association-based information flow control model for object-oriented systems. It precisely controls information flows among objects through associations and constraints. It also offers features such as controlling method invocation through argument sensitivity, allowing declassification, allowing purpose-oriented method invocation, and precisely controlling write access. This paper proposes the model and the implementation of the model, which is composed of the language AbFlow (association-based flow) and its supporting environment.

Access Control and Information Flow Control for Web Services Security

2016 ◽  
Vol 11 (1) ◽  
pp. 44-76 ◽  
Author(s):  
Saadia Kedjar ◽  
Abdelkamel Tari ◽  
Peter Bertok
Keyword(s):  
Web Services ◽  
Access Control ◽  
Flow Control ◽  
Information Flow ◽  
Information Flow Control ◽  
User Access ◽  
Web Services Security ◽  
Information Confidentiality ◽  
Security Standards

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

Access Control and Information Flow Control for Web Services Security

2020 ◽  
pp. 185-219
Author(s):  
Saadia Kedjar ◽  
Abdelkamel Tari ◽  
Peter Bertok
Keyword(s):  
Web Services ◽  
Access Control ◽  
Flow Control ◽  
Information Flow ◽  
Information Flow Control ◽  
User Access ◽  
Web Services Security ◽  
Information Confidentiality ◽  
Security Standards

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

scholarly journals Flexible dynamic information flow control in the presence of exceptions

2017 ◽  
Vol 27 ◽  
Author(s):  
DEIAN STEFAN ◽  
DAVID MAZIÈRES ◽  
JOHN C. MITCHELL ◽  
ALEJANDRO RUSSO
Keyword(s):  
Flow Control ◽  
Information Flow ◽  
Information Leakage ◽  
Coarse Grained ◽  
Sensitive Information ◽  
Data Confidentiality ◽  
Information Flow Control ◽  
Dynamic Information ◽  
Discretionary Access Control ◽  
Fine Grained

AbstractWe describe a language-based, dynamic information flow control (IFC) system called LIO. Our system presents a new design point for IFC, influenced by the challenge of implementing IFC as a Haskell library, as opposed to the more typical approach of modifying the language runtime system. In particular, we take a coarse-grained, floating-label approach, previously used by IFC Operating Systems, and associate a single, mutable label—thecurrent label—with all the data in a computation's context. This label is always raised to reflect the reading of sensitive information and it is used to restrict the underlying computation's effects. To preserve the flexibility of fine-grained systems, LIO also provides programmers with a means for associating an explicit label with a piece of data. Interestingly, these labeled values can be used to encapsulate the results of sensitive computations which would otherwise lead to the creeping of the current label. Unlike other language-based systems, LIO also bounds the current label with acurrent clearance, providing a form of discretionary access control that LIO programs can use to deal with covert channels. Moreover, LIO provides programmers with mutable references and exceptions. The latter, exceptions, are used in LIO to encode and recover from monitor failures, all while preserving data confidentiality and integrity—this addresses a longstanding concern that dynamic IFC is inherently prone to information leakage due to monitor failure.

HLIO: mixing static and dynamic typing for information-flow control in Haskell

2015 ◽  
Vol 50 (9) ◽  
pp. 289-301 ◽  
Author(s):  
Pablo Buiras ◽  
Dimitrios Vytiniotis ◽  
Alejandro Russo
Keyword(s):  
Flow Control ◽  
Information Flow ◽  
Information Flow Control ◽  
Dynamic Typing
Sign in / Sign up

Export Citation Format

Share Document